Reverse SSH tunnel to external domain/ip

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-10-08
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

12 Hours

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Protocol Tunneling (T1572)

Severity

Medium

Description

A reverse SSH tunnel might have been created.

Attacker's Goals

Attackers may use SSH to create an encrypted tunnel to allow an attacker to covertly connect to an internal host.

Investigative actions

  • Review the external ip/domain.
  • Investigate the causality of the process.