Skip to main content

Outbound SSH traffic indicating brute force activity

ID:ssh_brute_force
Data type:IP
Severity:
Low
MITRE ATT&CK:TA0008:T1021.004

Description

AlphaSOC detected outbound traffic patterns consistent with SSH brute force attacks, where a system attempts to establish multiple SSH connections to external hosts. This behavior typically indicates that an internal system has been compromised and is being used to discover or gain unauthorized access to other systems across the internet.

Impact

Compromised systems conducting SSH brute force attacks can lead to unauthorized access to external systems, damaging the organization's reputation and potentially resulting in legal liability. Additionally, the compromised internal system could be part of a larger botnet, consuming network resources and potentially triggering blacklisting by internet service providers.

Severity

SeverityCondition
Low
Suspicious outbound SSH traffic to a single IP address

Investigation and Remediation

Investigate the source system for signs of compromise. Isolate affected systems and perform a thorough malware scan.