Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
12 Hours |
Required Data |
- Requires:
- Palo Alto Networks Url Logs
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
Command and Control (TA0011) |
ATT&CK Technique |
Protocol Tunneling (T1572) |
Severity |
Informational |
Description
An uncommon network tunnel was established.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.
Variations
Uncommon network tunnel creation
Synopsis
Description
An uncommon network tunnel was established using ACS_ssh.exe.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.
Uncommon SSH tunnel to unpopular IP address
Synopsis
Description
An uncommon SSH tunnel was established to an unpopular remote IP address at the organization.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.
An uncommon network tunnel was established over the default SSH port
Synopsis
Description
An unpopular process and command line created a network tunnel over the default SSH port.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.