Suspicious SSH Downgrade

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-10-08
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Palo Alto Networks Platform Logs

Detection Modules

Detector Tags

NDR Lateral Movement Analytics

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more.

Attacker's Goals

  • Attackers may attempt to move laterally over the network by exploiting problems in a lower version of ssh.

Investigative actions

Audit the authentication attempts in the SSH server from the alerted host.
If the source host authenticated to the SSH server, it may indicate that the attacker managed to connect to the remote host maliciously.

Variations

A Host Performed an SSH Downgrade For The First Time In The Last 30 Days

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more. With a lower version than the source host used in the past.

Attacker's Goals

  • Attackers may attempt to move laterally over the network by exploiting problems in a lower version of ssh.

Investigative actions

Audit the authentication attempts in the SSH server from the alerted host.
If the source host authenticated to the SSH server, it may indicate that the attacker managed to connect to the remote host maliciously.


A Target Server Performed an SSH Downgrade For The First Time In The Last 30 Days

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more. With a lower version than the remote host used in the past.

Attacker's Goals

  • Attackers may attempt to move laterally over the network by exploiting problems in a lower version of ssh.

Investigative actions

Audit the authentication attempts in the SSH server from the alerted host.
If the source host authenticated to the SSH server, it may indicate that the attacker managed to connect to the remote host maliciously.