Skip to main content

Suspicious Logins

This alert occurs when Lacework detects a failed SSH or RDP login followed by a successful SSH or RDP login from the same source IP within one hour.

Why this Alert is Important

This alert indicates that an IP address associated with a failed login attempt has successfully accessed your infrastructure. Such an alert should be investigated immediately. An example of this occurring is when an adversary attempts a brute-force attack via SSH or RDP and then successfully logs in to a host in your organization via SSH or RDP on from the same source IP within an hour.

Investigation

Determine what service the IP address successfully logged in to. Identify the account that was used and determine if the activity is known to the associated user. Investigate threat tags and any open source information to determine what activity the IP address has been associated with in the past. Examine the number of connections and size of data transfer for the connections to determine if meaningful data has been transferred.

Resolution

If the IP address and login is confirmed to be malicious, isolate the host and search for signs of persistence. Reset credentials for the user account in question. Determine internal connection patterns and look for indicators of lateral movement. After performing local forensics, return the machine to its last known good state, which may require reimaging the machine.