Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
- Requires one of the following data sources:
- Palo Alto Networks Platform Logs
OR - XDR Agent
OR - Third-Party Firewalls
|
Detection Modules |
|
Detector Tags |
NDR Lateral Movement Analytics |
ATT&CK Tactic |
Command and Control (TA0011) |
ATT&CK Technique |
|
Severity |
Low |
Description
An uncommon SSH session was established.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.
Variations
An Uncommon SSH session was established using a rare server HASSH for the ssh server
Synopsis
Description
An Uncommon SSH session was established using a rare server HASSH for the ssh server.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.
An Uncommon SSH session was established using a rare client HASSH for the agent
Synopsis
Description
An Uncommon SSH session was established using a rare client HASSH for the agent.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.
An Uncommon SSH session was established using a rare request banner for the agent
Synopsis
Description
An Uncommon SSH session was established using a rare request banner for the agent.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.
An Uncommon SSH session was established using a rare Response banner for the ssh server
Synopsis
Description
An Uncommon SSH session was established using a rare Response banner for the ssh server.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.
An Uncommon SSH session was established using a rare Response banner
Synopsis
Description
An Uncommon SSH session was established using a rare Response banner.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.
An Uncommon SSH session was established using a rare request banner
Synopsis
Description
An Uncommon SSH session was established using a rare request banner.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.
An Uncommon SSH session was established using a rare Client HASSH
Synopsis
Description
An Uncommon SSH session was established using a rare Client HASSH.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.
An Uncommon SSH session was established using a rare Server HASSH
Synopsis
Description
An Uncommon SSH session was established using a rare Server HASSH.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.
A suspicious SSH session was established
Synopsis
Description
A suspicious SSH session was established to a globally rare external IP using a nonstandard SSH port.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.
An Uncommon SSH session was established to a rare IP address
Synopsis
Description
An uncommon SSH session was established to a rare remote IP address.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.
An Uncommon SSH session was established using a nonstandard SSH port
Synopsis
Description
An uncommon SSH session was established with a destination port using a nonstandard SSH port.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.
Uncommon SSH session was established to an internal IP
Synopsis
Description
An uncommon SSH session was established to an internal IP.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.