Elastic Security Detection Rules

Potential Successful Linux FTP Brute Force Attack Detected

Last updated 7 months ago on 2025-01-15
Created 2 years ago on 2023-07-06

About

An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication.
Tags
Data Source: Auditd ManagerDomain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Credential AccessLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Credential Access (TA0006)(opens in a new tab or window)

Brute Force (T1110)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
auditbeat-*logs-auditd_manager.auditd-*
Related Integrations

auditd_manager(opens in a new tab or window)

Query
sequence by host.id, auditd.data.addr, related.user with maxspan=5s
  [authentication where host.os.type == "linux" and event.action == "authenticated" and
   auditd.data.terminal == "ftp" and event.outcome == "failure" and auditd.data.addr != null and
   auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] with runs=10
  [authentication where host.os.type == "linux" and event.action  == "authenticated" and
   auditd.data.terminal == "ftp" and event.outcome == "success" and auditd.data.addr != null and
   auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] | tail 1

Install detection rules in Elastic Security

Detect Potential Successful Linux FTP Brute Force Attack Detected in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).