Network Connection Initiated by SSHD Child Process

Network Connection Initiated by SSHD Child Processedit

This rule identifies an egress internet connection initiated by an SSH Daemon child process. This behavior is indicative of the alteration of a shell configuration file or other mechanism that launches a process when a new SSH login occurs. Attackers can also backdoor the SSH daemon to allow for persistence, call out to a C2 or to steal credentials.

Rule type: eql

Rule indices:

logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://hadess.io/the-art-of-linux-persistence/

Tags:

Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule queryedit

sequence by host.id with maxspan=1s
  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
   process.parent.executable == "/usr/sbin/sshd"] by process.entity_id
  [network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and not (
     destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch(
     destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
     "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
     "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
     "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
     "FF00::/8", "172.31.0.0/16"
     )
    )
  ] by process.parent.entity_id

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Event Triggered Execution
- ID: T1546
- Reference URL: https://attack.mitre.org/techniques/T1546/
Sub-technique:
- Name: Unix Shell Configuration Modification
- ID: T1546.004
- Reference URL: https://attack.mitre.org/techniques/T1546/004/
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/
Sub-technique:
- Name: SSH
- ID: T1021.004
- Reference URL: https://attack.mitre.org/techniques/T1021/004/
Technique:
- Name: Remote Service Session Hijacking
- ID: T1563
- Reference URL: https://attack.mitre.org/techniques/T1563/
Sub-technique:
- Name: SSH Hijacking
- ID: T1563.001
- Reference URL: https://attack.mitre.org/techniques/T1563/001/
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/

« Network Activity Detected via cat Network Connection from Binary with RWX Memory Region »