Linux Restricted Shell Breakout via the SSH command

Identifies Linux binary SSH abuse to break out from restricted environments by spawning an interactive system shell. The SSH protocol is a network protocol that gives users, particularly system administrators, a secure way to access a computer over a network. The activity of spawning shell is not a standard use of this binary for a user or system administrator. It indicates a potentially malicious actor attempting to improve the capabilities or stability of their access.

Rule type: eql

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 2

Rule authors:

Rule license: Elastic License v2

process where event.type == "start" and process.name : ("bash", "sh", "dash") and
  process.parent.name == "ssh" and process.parent.args == "-o" and
  process.parent.args in ("ProxyCommand=;sh 0<&2 1>&2", "ProxyCommand=;bash 0<&2 1>&2", "ProxyCommand=;dash 0<&2 1>&2", "ProxyCommand=;/bin/sh 0<&2 1>&2", "ProxyCommand=;/bin/bash 0<&2 1>&2", "ProxyCommand=;/bin/dash 0<&2 1>&2")