Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1263: Analytic 1263

Rapid login failures across different users from a single IP address, targeting SSH or PAM login with distinct username-password pairs

EnterpriseAN1263AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic points to a pattern that can matter quickly for business continuity: many failed Linux SSH or PAM logins against different user accounts from one source IP, using distinct username-password pairs. For leaders, the value is not just “failed logins happened,” but whether the organization can reliably see and triage credential-attack-like activity before it becomes an access, outage, or incident-response problem.

Executive priority

Prioritize this as an identity and Linux access-monitoring validation item. Ask whether critical Linux systems, remote access paths, and PAM-backed services produce usable authentication logs, whether the SOC has thresholds that distinguish broad account probing from normal user error, and whether response playbooks can block or contain a suspicious source without disrupting legitimate operations. It also supports audit and compliance evidence around access monitoring, failed-login review, and incident escalation.

Technical view

For SOC and detection teams, validate coverage for Linux SSH and PAM authentication failures where a single source IP generates rapid failures across multiple distinct user accounts and distinct username-password attempts. Because the ATT&CK object provides no formal detection logic, teams should define local thresholds, time windows, and exception handling based on environment size, bastion hosts, VPN ranges, scanners, automation, and administrative workflows. IR teams should be able to pivot from the source IP to targeted usernames, destination hosts, timestamps, and any subsequent successful authentication.

Likely telemetry

  • Linux authentication logs for SSH and PAM-backed login events
  • Failed authentication event fields including source IP, destination host, username, timestamp, and service
  • SSH daemon logs from servers, bastion hosts, and remote administration endpoints
  • Centralized log pipeline or SIEM records that preserve authentication failure detail
  • Network or access-control logs that can corroborate the source IP path where available

Detection direction

  • Create or validate correlation for rapid failed logins from one source IP across multiple distinct usernames on Linux SSH or PAM services.
  • Tune thresholds by host role and exposure; internet-facing SSH, bastions, and administrative jump systems may need different baselines than internal servers.
  • Reduce false positives by accounting for vulnerability scanners, password-management failures, configuration drift, monitoring systems, and known administrative source ranges.
  • Include pivots for any successful login from the same source IP or against the same targeted accounts after the failure burst.
  • Check for blind spots where local auth logs are not forwarded, PAM logs are inconsistent across distributions, source IPs are masked by proxies or NAT, or log retention is too short for investigation.

Mitigation priorities

  • Ensure Linux SSH and PAM authentication logs are consistently collected and retained from systems that matter to operations.
  • Harden remote administrative access with strong authentication controls and restricted exposure where appropriate.
  • Maintain response procedures for suspicious source IP containment, account review, and host-level investigation without relying on ad hoc decisions during an incident.
  • Review account hygiene for privileged and service accounts, especially accounts that appear in repeated failed-login activity.
  • Use this analytic as evidence for access-monitoring control validation, but pair it with local testing because MITRE did not provide detection logic.
Analyst notes and limits

The supplied object is a detection analytic for Linux, focused on rapid SSH or PAM login failures across different users from a single IP address. No tactics, relationships, aliases, or formal detection text were supplied, so this take emphasizes defensive validation and telemetry requirements rather than a specific ATT&CK technique mapping.

This assessment is limited to the official STIX fields, the MITRE external reference, and the absence of relationship context. It does not establish actor attribution, active exploitation, impact, or guaranteed detection coverage. Local log quality, identity architecture, exposure model, and business-critical Linux assets are required to determine priority and thresholds.

Official MITRE ATT&CK definition

Analytic 1263

Rapid login failures across different users from a single IP address, targeting SSH or PAM login with distinct username-password pairs

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
0cb3cd222a7b49c3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 0cb3cd222a7b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1263
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use