Uncommon network tunnel creation

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

12 Hours

Required Data

  • Requires:
    • Palo Alto Networks Url Logs

Detection Modules

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Protocol Tunneling (T1572)

Severity

Informational

Description

An uncommon network tunnel was established.

Attacker's Goals

Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.

Investigative actions

  • Review the external IP/domain using known intelligence tools.
  • Investigate the causality of the process and its user ID to find uncommon behaviors.
  • Search for processes or files that were created by this SSH instance.

Variations

Uncommon network tunnel creation

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Protocol Tunneling (T1572)

Severity

Informational

Description

An uncommon network tunnel was established using ACS_ssh.exe.

Attacker's Goals

Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.

Investigative actions

  • Review the external IP/domain using known intelligence tools.
  • Investigate the causality of the process and its user ID to find uncommon behaviors.
  • Search for processes or files that were created by this SSH instance.


Uncommon SSH tunnel to unpopular IP address

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Protocol Tunneling (T1572)

Severity

Low

Description

An uncommon SSH tunnel was established to an unpopular remote IP address at the organization.

Attacker's Goals

Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.

Investigative actions

  • Review the external IP/domain using known intelligence tools.
  • Investigate the causality of the process and its user ID to find uncommon behaviors.
  • Search for processes or files that were created by this SSH instance.


An uncommon network tunnel was established over the default SSH port

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Protocol Tunneling (T1572)

Severity

Low

Description

An unpopular process and command line created a network tunnel over the default SSH port.

Attacker's Goals

Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.

Investigative actions

  • Review the external IP/domain using known intelligence tools.
  • Investigate the causality of the process and its user ID to find uncommon behaviors.
  • Search for processes or files that were created by this SSH instance.