kqlElastic-2.0from elastic/detection-rules
Unusual Login via System User
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/linux/persistence_ssh_via_backdoored_system_user.toml
event.category:authentication and host.os.type:linux and event.action:("ssh_login" or "user_login") and
user.name:(
"deamon" or "bin" or "sys" or "games" or "man" or "lp" or "mail" or "news" or "uucp" or "proxy" or "www-data" or "backup" or
"list" or "irc" or "gnats" or "nobody" or "systemd-timesync" or "systemd-network" or "systemd-resolve" or "messagebus" or
"avahi" or "sshd" or "dnsmasq"
) and event.outcome:success