Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
12 Hours |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An uncommon network tunnel was established.
Attacker's Goals
Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
Investigative actions
- Review the external IP/domain using known intelligence tools.
- Investigate the causality of the process and its user ID to find uncommon behaviors.
- Search for processes or files that were created by this SSH instance.
Variations
Uncommon network tunnel creationUncommon SSH tunnel to unpopular IP address
An uncommon network tunnel was established over the default SSH port