Potential Non-Standard Port SSH connection

calendar Oct 18, 2024 · Domain: Endpoint OS: Linux Use Case: Threat Detection Tactic: Command and Control OS: macOS Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/10/18"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/10/18"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For
11example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the
12standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.
13"""
14false_positives = [
15    """
16    SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such
17    uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and
18    noisy in your environment, consider adding exceptions — preferably with a combination whitelisted ports for such
19    legitimate ssh activities.
20    """,
21]
22from = "now-9m"
23index = ["logs-endpoint.events.*"]
24language = "eql"
25license = "Elastic License v2"
26name = "Potential Non-Standard Port SSH connection"
27references = ["https://attack.mitre.org/techniques/T1571/"]
28risk_score = 21
29rule_id = "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9"
30severity = "low"
31tags = [
32    "Domain: Endpoint",
33    "OS: Linux",
34    "Use Case: Threat Detection",
35    "Tactic: Command and Control",
36    "OS: macOS",
37    "Data Source: Elastic Defend",
38]
39type = "eql"
40query = '''
41sequence by process.entity_id with maxspan=1m
42  [process where event.action == "exec" and process.name in ("ssh", "sshd") and not process.parent.name in (
43   "rsync", "pyznap", "git", "ansible-playbook", "scp", "pgbackrest", "git-lfs", "expect", "Sourcetree", "ssh-copy-id",
44   "run"
45   )
46  ]
47  [network where process.name:"ssh" and event.action in ("connection_attempted", "connection_accepted") and 
48   destination.port != 22 and network.transport == "tcp" and not (
49     destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch(
50       destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
51       "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
52       "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
53       "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
54       "FF00::/8"
55     )
56   )
57  ]
58'''
59
60[[rule.threat]]
61framework = "MITRE ATT&CK"
62
63[[rule.threat.technique]]
64id = "T1571"
65name = "Non-Standard Port"
66reference = "https://attack.mitre.org/techniques/T1571/"
67
68[rule.threat.tactic]
69id = "TA0011"
70name = "Command and Control"
71reference = "https://attack.mitre.org/tactics/TA0011/"

References

Related rules

to-top