Adversaries may use brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained.Credential Dumping to obtain password hashes may only get an adversary so far when Pass the Hash is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table. Cracking hashes is usually done on adversary-controlled systems outside of the target network. (Citation: Wikipedia Password cracking)
Adversaries may attempt to brute force logins without knowledge of passwords or hashes during an operation either with zero knowledge or by attempting a list of known or possible passwords. This is a riskier option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)
A related technique called password spraying uses one password, or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
/var/log/secure
Invalid User's attempt:
Invalid user koza from <src_ip> port 55403
If Password Authentication is enabled,for failed attempt:
Failed password for master from <src_ip> port 55568 ssh2
If Password Authentication is enabled,for successful attempt:
Accepted password for master from <src_ip> port 55568 ssh2
If ssh-key based authentication enabled, for fialed attempt:
Connection closed by <src_ip> port 55543 [preauth]
If ssh-key based authentication enabled, for successful attempt:
Accepted publickey for ec2-user from <src_ip> port 55289 ssh2: RSA SHA256:kxVVnv/vCqMgGVgb9EMpjup2UEzaBRv1CdHU2KpKiDQ
For each successful Sudo attempt
sudo: ec2-user : TTY=pts/4 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/bin/su
su: pam_unix(su:session): session opened for user root by ec2-user(uid=0)
Auth failure for Sudo su
sudo: pam_unix(sudo:auth): authentication failure; logname=ec2-user uid=1004 euid=0 tty=/dev/pts/4 ruser=splunk rhost= user=splunk
sudo: pam_unix(sudo:auth): authentication failure; logname=ec2-user uid=1004 euid=0 tty=/dev/pts/4 ruser=splunk rhost= user=splunk
for NOT In Sudoers
sudo: splunk : user NOT in sudoers ; TTY=pts/4 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/bin/su
sudo: splunk : user NOT in sudoers ; TTY=pts/4 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/etc/shadow
Successful Switch User (su)
su: pam_unix(su:session): session opened for user splunk by ec2-user(uid=1000)
UNSuccessful Switch User (su)
**Command** ec2-user$su splunk
**log**su: pam_unix(su:auth): authentication failure; logname=ec2-user uid=1000 euid=0 tty=pts/4 ruser=ec2-user rhost= user=splunk
**command** ec2-user$su master
**log** su: pam_unix(su:auth): authentication failure; logname=ec2-user uid=1000 euid=0 tty=pts/4 ruser=ec2-user rhost= user=master
Modification(add,delete,permissions ) to key groups like SA/wheel
usermod[5019]: add 'splunk' to group 'wireshark'
gpasswd[5316]: user splunk added by root to group wireshark
gpasswd[5728]: user splunk removed by root from group wireshark