Improve description and false positives for Linux security tool disablement detection#5853
Open
amittrap wants to merge 4 commits intoSigmaHQ:masterfrom
Open
Improve description and false positives for Linux security tool disablement detection#5853amittrap wants to merge 4 commits intoSigmaHQ:masterfrom
amittrap wants to merge 4 commits intoSigmaHQ:masterfrom
Conversation
…lement detection Enhances the description to clarify the detection of attempts to disable Linux security services and adds more context on potential false positives.
github-actions
bot
added
Rules
Review Needed
Improve description and false positives for suspicious OpenSSH error detection
nasbench
requested changes
Feb 16, 2026
| - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md | ||
| author: Ömer Günal, Alejandro Ortuno, oscd.community | ||
| date: 2020-06-17 | ||
| modified: 2022-11-26 |
Member
There was a problem hiding this comment.
Modified date needs to be updated
| - 'Failed password' | ||
| - 'Invalid user' | ||
| - 'authentication failure' | ||
| - 'PAM authentication failure' |
Member
There was a problem hiding this comment.
PAM is not linked to SSH so PAM authentication failure could mean many tihngs.
Also the other strings you are using are generic since you are reading this from syslog. So you cannot call this an SSH bruteforce.
I suggest you update the metadata to reflect that auth failures are in place or something similar and worth investigating.
| - Unknown | ||
| - Rare SSH client compatibility issues | ||
| - Corrupted or malformed SSH traffic due to network issues | ||
| - Security testing, vulnerability scanning, or fuzzing activity |
Member
There was a problem hiding this comment.
These are not FPs but potentially accepted TPs. So we do not list them
Suggested change
| - Security testing, vulnerability scanning, or fuzzing activity |
Comment on lines
+4
to
+8
| description: > | ||
| Detects suspicious or fatal OpenSSH daemon error messages that may indicate | ||
| exploitation attempts, malformed authentication traffic, or protocol abuse | ||
| targeting the SSH service. Such errors are commonly observed during | ||
| vulnerability scanning or active exploitation. |
Member
There was a problem hiding this comment.
Suggested change
| description: > | |
| Detects suspicious or fatal OpenSSH daemon error messages that may indicate | |
| exploitation attempts, malformed authentication traffic, or protocol abuse | |
| targeting the SSH service. Such errors are commonly observed during | |
| vulnerability scanning or active exploitation. | |
| description: | | |
| Detects suspicious or fatal OpenSSH daemon error messages that may indicate exploitation attempts, malformed authentication traffic, or protocol abuse targeting the SSH service. | |
| Such errors could be a sign of vulnerability scanning or active exploitation attempts. |
Comment on lines
+7
to
+11
| description: > | ||
| Detects attempts to stop or disable common Linux security services such as | ||
| firewalls and endpoint protection agents via system log messages. Adversaries | ||
| may disable security tooling to evade detection and maintain persistence. | ||
|
|
Member
There was a problem hiding this comment.
Suggested change
| description: > | |
| Detects attempts to stop or disable common Linux security services such as | |
| firewalls and endpoint protection agents via system log messages. Adversaries | |
| may disable security tooling to evade detection and maintain persistence. | |
| description: | | |
| Detects attempts to stop or disable common Linux security services such as firewalls and endpoint protection agents via system log messages. | |
| Adversaries may disable security tooling to evade detection and maintain persistence. |
| within system log messages. Such activity is commonly associated | ||
| with credential stuffing or password guessing attacks. | ||
| references: | ||
| - https://attack.mitre.org/techniques/T1110/ |
Member
There was a problem hiding this comment.
No need for MITRE links since we already have tags.
Suggested change
| - https://attack.mitre.org/techniques/T1110/ |
nasbench
added
the
Author Input Required
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I’ve added an additional Sigma rule to detect SSH brute-force authentication
attempts via Linux syslog as part of this branch. If preferred, I can split
this into a separate pull request for clarity.