Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
- Requires one of the following data sources:
- AWS Flow Log
OR - AWS OCSF Flow Logs
OR - Azure Flow Log
OR - Gcp Flow Log
OR - Palo Alto Networks Platform Logs
OR - Third-Party Firewalls
- Requires one of the following data sources:
- Palo Alto Networks Platform Logs
OR - XDR Agent
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
Command and Control (TA0011) |
ATT&CK Technique |
Proxy: Internal Proxy (T1090.001) |
Severity |
Informational |
Description
A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.
This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data.
Attacker's Goals
Attackers aim to establish a covert command and control channel or relay communications through a compromised SSH connection.
Investigative actions
Review the SSH connections to identify any unusual proxy activity or traffic patterns. Investigate the user accounts involved in the SSH connections to determine if credentials were compromised. Additionally, examine logs for any unexpected data transfers or commands that may indicate malicious intent.
Variations
High Volume Unusual SSH activity that resembles SSH proxy
Synopsis
Description
A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.
This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data.
Attacker's Goals
Attackers aim to establish a covert command and control channel or relay communications through a compromised SSH connection.
Investigative actions
Review the SSH connections to identify any unusual proxy activity or traffic patterns. Investigate the user accounts involved in the SSH connections to determine if credentials were compromised. Additionally, examine logs for any unexpected data transfers or commands that may indicate malicious intent.
Suspicious SSH activity that resembles SSH proxy
Synopsis
Description
A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.
This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data.
Attacker's Goals
Attackers aim to establish a covert command and control channel or relay communications through a compromised SSH connection.
Investigative actions
Review the SSH connections to identify any unusual proxy activity or traffic patterns. Investigate the user accounts involved in the SSH connections to determine if credentials were compromised. Additionally, examine logs for any unexpected data transfers or commands that may indicate malicious intent.
Unusual SSH activity that resembles SSH proxy detected
Synopsis
Description
A host initiated and received an unusual SSH connection, which is consistent with being an SSH proxy.
This behavior may indicate an attempt to establish covert command and control communication or to exfiltrate data.
Attacker's Goals
Attackers aim to establish a covert command and control channel or relay communications through a compromised SSH connection.
Investigative actions
Review the SSH connections to identify any unusual proxy activity or traffic patterns. Investigate the user accounts involved in the SSH connections to determine if credentials were compromised. Additionally, examine logs for any unexpected data transfers or commands that may indicate malicious intent.