Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
NDR Lateral Movement Analytics |
ATT&CK Tactic |
Command and Control (TA0011) |
ATT&CK Technique |
|
Severity |
Low |
Description
An uncommon SSH session was established.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.
Variations
A suspicious SSH session was established
Synopsis
Description
A suspicious SSH session was established to a globally rare external IP using a nonstandard SSH port.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.
Uncommon SSH session was established to a rare IP address
Synopsis
Description
An uncommon SSH session was established to a rare remote IP address.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.
Uncommon SSH session was established using a nonstandard SSH port
Synopsis
Description
An uncommon SSH session was established with a destination port using a nonstandard SSH port.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.
Uncommon SSH session was established to an internal IP
Synopsis
Description
An uncommon SSH session was established to an internal IP.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.