IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Network Connection Initiated by SSHD Child Process
editNetwork Connection Initiated by SSHD Child Process
editThis rule identifies an egress internet connection initiated by an SSH Daemon child process. This behavior is indicative of the alteration of a shell configuration file or other mechanism that launches a process when a new SSH login occurs. Attackers can also backdoor the SSH daemon to allow for persistence, call out to a C2 or to steal credentials.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Linux
- Use Case: Threat Detection
- Tactic: Persistence
- Data Source: Elastic Defend
Version: 3
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editsequence by host.id with maxspan=1s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.parent.executable == "/usr/sbin/sshd"] by process.entity_id
[network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and not (
destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch(
destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
"192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
"192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
"FF00::/8", "172.31.0.0/16"
)
) and not (
process.executable in ("/bin/yum", "/usr/bin/yum") or
process.name in ("login_duo", "ssh", "sshd", "sshd-session")
)
] by process.parent.entity_id
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Event Triggered Execution
- ID: T1546
- Reference URL: https://attack.mitre.org/techniques/T1546/
-
Sub-technique:
- Name: Unix Shell Configuration Modification
- ID: T1546.004
- Reference URL: https://attack.mitre.org/techniques/T1546/004/
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/
-
Sub-technique:
- Name: SSH
- ID: T1021.004
- Reference URL: https://attack.mitre.org/techniques/T1021/004/
-
Technique:
- Name: Remote Service Session Hijacking
- ID: T1563
- Reference URL: https://attack.mitre.org/techniques/T1563/
-
Sub-technique:
- Name: SSH Hijacking
- ID: T1563.001
- Reference URL: https://attack.mitre.org/techniques/T1563/001/
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/