Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
NDR Lateral Movement Analytics |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An uncommon SSH session was established.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.
Variations
A suspicious SSH session was establishedAn Uncommon SSH session was established to a rare IP address
An Uncommon SSH session was established using a nonstandard SSH port
Uncommon SSH session was established to an internal IP