Potential macOS SSH Brute Force Detected
editPotential macOS SSH Brute Force Detected
editIdentifies a high number of inbound SSH login attempts on a macOS host within a short time window. On macOS, each inbound SSH authentication attempt spawns the sshd-keygen-wrapper process once, whether the login succeeds or fails. Adversaries may perform password brute force or password spraying against exposed SSH services to obtain unauthorized access.
Rule type: threshold
Rule indices:
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: macOS
- Use Case: Threat Detection
- Tactic: Credential Access
- Data Source: Elastic Defend
- Resources: Investigation Guide
Version: 113
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Potential macOS SSH Brute Force Detected
SSH (Secure Shell) is a protocol used to securely access remote systems. On macOS, each inbound SSH authentication attempt spawns
sshd-keygen-wrapper once before handing off to sshd, regardless of whether the login succeeds or fails. This rule uses that
1:1 relationship as a proxy for high inbound SSH login attempt volume on a host. It does not detect SSH key generation or
key-based brute force activity.
Possible investigation steps
-
Review alert details for
host.os.type:macos,process.name:sshd-keygen-wrapper, andprocess.parent.name:launchd. -
Examine the frequency and timing of
sshd-keygen-wrapperprocess starts to determine if they suggest automated login attempts. - Review SSH authentication logs on the affected host for failed and successful logins, source IP addresses, and targeted usernames.
- Determine whether Remote Login is expected to be enabled on this host (for example, build servers or developer workstations).
- Correlate the activity with other alerts or logs from the same host to identify additional indicators of compromise.
- Review user account activity on the host to determine if any accounts were accessed or modified unexpectedly.
False positive analysis
- Build servers, developer workstations, or CI/CD pipelines that receive many legitimate inbound SSH connections may trigger this rule. Exclude known hosts or maintenance windows if the activity is expected.
- Automated deployment or configuration management tools that open many SSH sessions in a short period can cause false positives.
- Internet-facing SSH services may receive high volumes of scanning or credential-stuffing traffic from unrelated sources.
-
Security scanners or health checks that repeatedly test SSH connectivity may generate elevated
sshd-keygen-wrapperactivity.
Response and remediation
- Review SSH authentication logs to identify source IPs, targeted accounts, and whether any logins succeeded.
- If unauthorized access is suspected, isolate the affected macOS host from the network.
- Implement IP blocking or rate limiting on the SSH service to reduce further login attempts.
- Review and reset credentials for affected user accounts if compromise is confirmed.
- Conduct a thorough review of the host’s SSH configuration and enabled Remote Login settings.
- Escalate to the security operations team if additional hosts show similar patterns.
- Enhance monitoring for SSH authentication anomalies across the environment.
Setup
editSetup
This rule requires data coming in from Elastic Defend.
Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the documentation.
The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. Helper guide.
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the helper guide.
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the helper guide.
Rule query
editevent.category:process and host.os.type:macos and event.type:start and process.name:"sshd-keygen-wrapper" and process.parent.name:launchd
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Brute Force
- ID: T1110
- Reference URL: https://attack.mitre.org/techniques/T1110/
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: External Remote Services
- ID: T1133
- Reference URL: https://attack.mitre.org/techniques/T1133/