SSH (Secure Shell) from the Internet
This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3deprecation_date = "2021/04/15"
4maturity = "deprecated"
5updated_date = "2021/04/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by
11system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it
12should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial
13access or backdoor vector.
14"""
15false_positives = [
16 """
17 Some network security policies allow SSH directly from the Internet but usage that is unfamiliar to server or
18 network owners can be unexpected and suspicious. SSH services may be exposed directly to the Internet in some
19 networks such as cloud environments. In such cases, only SSH gateways, bastions or jump servers may be expected
20 expose SSH directly to the Internet and can be exempted from this rule. SSH may be required by some work-flows such
21 as remote access and support for specialized software products and servers. Such work-flows are usually known and
22 not unexpected.
23 """,
24]
25from = "now-9m"
26index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
27language = "kuery"
28license = "Elastic License v2"
29name = "SSH (Secure Shell) from the Internet"
30risk_score = 47
31rule_id = "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17"
32severity = "medium"
33tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
34timestamp_override = "event.ingested"
35type = "query"
36
37query = '''
38event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and
39 not source.ip:(
40 10.0.0.0/8 or
41 127.0.0.0/8 or
42 169.254.0.0/16 or
43 172.16.0.0/12 or
44 192.168.0.0/16 or
45 224.0.0.0/4 or
46 "::1" or
47 "FE80::/10" or
48 "FF00::/8"
49 ) and
50 destination.ip:(
51 10.0.0.0/8 or
52 172.16.0.0/12 or
53 192.168.0.0/16
54 )
55'''
56
57
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60
61[rule.threat.tactic]
62id = "TA0011"
63name = "Command and Control"
64reference = "https://attack.mitre.org/tactics/TA0011/"
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67[[rule.threat.technique]]
68id = "T1021"
69name = "Remote Services"
70reference = "https://attack.mitre.org/techniques/T1021/"
71
72
73[rule.threat.tactic]
74id = "TA0008"
75name = "Lateral Movement"
76reference = "https://attack.mitre.org/tactics/TA0008/"
77[[rule.threat]]
78framework = "MITRE ATT&CK"
79[[rule.threat.technique]]
80id = "T1190"
81name = "Exploit Public-Facing Application"
82reference = "https://attack.mitre.org/techniques/T1190/"
83
84
85[rule.threat.tactic]
86id = "TA0001"
87name = "Initial Access"
88reference = "https://attack.mitre.org/tactics/TA0001/"
Related rules
- SSH (Secure Shell) to the Internet
- FTP (File Transfer Protocol) Activity to the Internet
- IRC (Internet Relay Chat) Protocol Activity to the Internet
- PPTP (Point to Point Tunneling Protocol) Activity
- Proxy Port Activity to the Internet