Multiple uncommon SSH Servers with the same Server host key

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2025-01-19
Category
Analytics Alert Reference
Index by
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Palo Alto Networks Platform Logs
  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Adversary-in-the-Middle (T1557)

Severity

Low

Description

Multiple uncommon SSH Servers with the same Server host key.

Attacker's Goals

Attackers may attempt to move laterally within the network by exploiting and relaying stolen client credentials to another SSH server.

Investigative actions

  • Audit the authentication attempts to SSH server using the same key.
  • Look for unusual or repeated connections from the same or unexpected hosts.
  • Audit Client Credentials, check for any signs of compromised client credentials being used on different SSH servers.