SSH (Secure Shell) to the Internet
This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3deprecation_date = "2021/04/15"
4maturity = "deprecated"
5updated_date = "2021/04/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by
11system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it
12should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial
13access or backdoor vector.
14"""
15false_positives = [
16 """
17 SSH connections may be made directly to Internet destinations in order to access Linux cloud server instances but
18 such connections are usually made only by engineers. In such cases, only SSH gateways, bastions or jump servers may
19 be expected Internet destinations and can be exempted from this rule. SSH may be required by some work-flows such as
20 remote access and support for specialized software products and servers. Such work-flows are usually known and not
21 unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious.
22 """,
23]
24from = "now-9m"
25index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
26language = "kuery"
27license = "Elastic License v2"
28name = "SSH (Secure Shell) to the Internet"
29risk_score = 21
30rule_id = "6f1500bc-62d7-4eb9-8601-7485e87da2f4"
31severity = "low"
32tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and
38 source.ip:(
39 10.0.0.0/8 or
40 172.16.0.0/12 or
41 192.168.0.0/16
42 ) and
43 not destination.ip:(
44 10.0.0.0/8 or
45 127.0.0.0/8 or
46 169.254.0.0/16 or
47 172.16.0.0/12 or
48 192.168.0.0/16 or
49 224.0.0.0/4 or
50 "::1" or
51 "FE80::/10" or
52 "FF00::/8"
53 )
54'''
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59
60[rule.threat.tactic]
61id = "TA0011"
62name = "Command and Control"
63reference = "https://attack.mitre.org/tactics/TA0011/"
Related rules
- SSH (Secure Shell) from the Internet
- FTP (File Transfer Protocol) Activity to the Internet
- IRC (Internet Relay Chat) Protocol Activity to the Internet
- PPTP (Point to Point Tunneling Protocol) Activity
- Proxy Port Activity to the Internet