Potential Non-Standard Port SSH connection
Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/10/18"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/09/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For
13example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the
14standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.
15"""
16false_positives = [
17 """
18 SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such
19 uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and
20 noisy in your environment, consider adding exceptions — preferably with a combination whitelisted ports for such
21 legitimate ssh activities.
22 """,
23]
24from = "now-9m"
25index = ["logs-endpoint.events.*"]
26language = "eql"
27license = "Elastic License v2"
28name = "Potential Non-Standard Port SSH connection"
29references = ["https://attack.mitre.org/techniques/T1571/"]
30risk_score = 21
31rule_id = "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9"
32severity = "low"
33tags = ["Domain: Endpoint",
34 "OS: Linux",
35 "Use Case: Threat Detection",
36 "Tactic: Command and Control",
37 "OS: macOS",
38 "Data Source: Elastic Defend"
39 ]
40type = "eql"
41
42query = '''
43sequence by process.entity_id with maxspan=1m
44 [process where event.action == "exec" and process.name:"ssh" and not process.parent.name in (
45 "rsync", "pyznap", "git", "ansible-playbook", "scp", "pgbackrest", "git-lfs", "expect", "Sourcetree", "ssh-copy-id",
46 "run"
47 )
48 ]
49 [network where process.name:"ssh" and event.action in ("connection_attempted", "connection_accepted") and
50 destination.port != 22 and destination.ip != "127.0.0.1" and network.transport: "tcp"
51 ]
52'''
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56
57[[rule.threat.technique]]
58id = "T1571"
59name = "Non-Standard Port"
60reference = "https://attack.mitre.org/techniques/T1571/"
61
62[rule.threat.tactic]
63id = "TA0011"
64name = "Command and Control"
65reference = "https://attack.mitre.org/tactics/TA0011/"
References
-
G0099 APT-C-36 APT-C-36 has used port 4050 for C2 communications.[4] G0050 APT32 An APT32 backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor configura...
Read More
Related rules
- Bash Shell Profile Modification
- Deprecated - Potential DNS Tunneling via Iodine
- Modification of Standard Authentication Module or Configuration
- EggShell Backdoor Execution
- Potential JAVA/JNDI Exploitation Attempt