Potential macOS SSH Brute Force Detected

This detection rule identifies potential SSH brute-force attacks targeting macOS systems. It leverages Elastic Defend’s process monitoring capabilities to detect a high volume of inbound SSH login attempts within a short timeframe. The rule focuses on the sshd-keygen-wrapper process, which spawns for each SSH authentication attempt, whether successful or not. By monitoring the frequency of this process, the rule aims to identify potential brute-force or password spraying attacks against exposed SSH services, ultimately preventing unauthorized access to macOS systems. The rule does not detect key-based brute force activity.

Attack Chain

1. An attacker identifies a macOS system with an exposed SSH service.
2. The attacker initiates a brute-force attack against the SSH service, attempting multiple username and password combinations.
3. Each failed SSH authentication attempt spawns a new sshd-keygen-wrapper process on the target macOS system.
4. The detection rule monitors process creation events, specifically looking for the sshd-keygen-wrapper process with launchd as its parent.
5. If the number of sshd-keygen-wrapper process starts exceeds a defined threshold within a short time window, the rule triggers.
6. The attacker gains unauthorized access to the macOS system if valid credentials are found.
7. Once inside, the attacker can perform actions such as data exfiltration, lateral movement, or installation of malware.

Impact

Successful SSH brute-force attacks can lead to unauthorized access to macOS systems, potentially impacting confidentiality, integrity, and availability. Attackers can gain access to sensitive data, install malware, or use the compromised system as a foothold for further attacks within the network. This can result in financial losses, reputational damage, and disruption of business operations.

Recommendation

• Deploy the Sigma rule Detect High SSHD Keygen Wrapper Count to your SIEM and tune the threshold value based on your environment.
• Enable Elastic Defend integration to capture process creation events on macOS endpoints, as required by the rule.
• Investigate alerts generated by the rule by reviewing SSH authentication logs for suspicious source IPs and targeted usernames.
• Implement IP blocking or rate limiting on the SSH service to mitigate further login attempts, as mentioned in the overview.
• Review and reset credentials for affected user accounts if compromise is confirmed, as suggested in the overview.