Uncommon SSH session was established

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-11-18
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Platform Logs
      OR
    • XDR Agent
      OR
    • Third-Party Firewalls

Detection Modules

Detector Tags

NDR Lateral Movement Analytics

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Severity

Low

Description

An uncommon SSH session was established.

Attacker's Goals

Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.

Investigative actions

  • Review the external IP/domain using known intelligence tools.
  • Investigate the causality of the process and its user ID to find uncommon behaviors.
  • Search for processes or files that were created by this SSH instance.

Variations

A suspicious SSH session was established

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Severity

Low

Description

A suspicious SSH session was established to a globally rare external IP using a nonstandard SSH port.

Attacker's Goals

Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.

Investigative actions

  • Review the external IP/domain using known intelligence tools.
  • Investigate the causality of the process and its user ID to find uncommon behaviors.
  • Search for processes or files that were created by this SSH instance.


An Uncommon SSH session was established to a rare IP address

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Severity

Low

Description

An uncommon SSH session was established to a rare remote IP address.

Attacker's Goals

Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.

Investigative actions

  • Review the external IP/domain using known intelligence tools.
  • Investigate the causality of the process and its user ID to find uncommon behaviors.
  • Search for processes or files that were created by this SSH instance.


An Uncommon SSH session was established using a nonstandard SSH port

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Severity

Low

Description

An uncommon SSH session was established with a destination port using a nonstandard SSH port.

Attacker's Goals

Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.

Investigative actions

  • Review the external IP/domain using known intelligence tools.
  • Investigate the causality of the process and its user ID to find uncommon behaviors.
  • Search for processes or files that were created by this SSH instance.


Uncommon SSH session was established to an internal IP

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Severity

Informational

Description

An uncommon SSH session was established to an internal IP.

Attacker's Goals

Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.

Investigative actions

  • Review the external IP/domain using known intelligence tools.
  • Investigate the causality of the process and its user ID to find uncommon behaviors.
  • Search for processes or files that were created by this SSH instance.