Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
12 Hours |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
A reverse SSH tunnel might have been created.
Attacker's Goals
Attackers may use SSH to create an encrypted tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external ip/domain.
- Investigate the causality of the process.