Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
NDR Lateral Movement Analytics |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
The endpoint asked for an ssh downgrade, ssh downgrade may enable attackers to perform attacks such as data decryption, man in the middle, session hijack, replay attack and more.
Attacker's Goals
- Attackers may attempt to move laterally over the network by exploiting problems in a lower version of ssh.
Investigative actions
Audit the authentication attempts in the SSH server from the alerted host.
If the source host authenticated to the SSH server, it may indicate that the attacker managed to connect to the remote host maliciously.
Variations
A Host Performed an SSH Downgrade For The First Time In The Last 30 DaysA Target Server Performed an SSH Downgrade For The First Time In The Last 30 Days