Potential Non-Standard Port SSH connection
Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/10/18"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For
11example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the
12standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.
13"""
14false_positives = [
15 """
16 SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such
17 uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and
18 noisy in your environment, consider adding exceptions — preferably with a combination whitelisted ports for such
19 legitimate ssh activities.
20 """,
21]
22from = "now-9m"
23index = ["logs-endpoint.events.*"]
24language = "eql"
25license = "Elastic License v2"
26name = "Potential Non-Standard Port SSH connection"
27references = ["https://attack.mitre.org/techniques/T1571/"]
28risk_score = 21
29rule_id = "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9"
30severity = "low"
31tags = [
32 "Domain: Endpoint",
33 "OS: Linux",
34 "Use Case: Threat Detection",
35 "Tactic: Command and Control",
36 "OS: macOS",
37 "Data Source: Elastic Defend",
38]
39type = "eql"
40
41query = '''
42sequence by process.entity_id with maxspan=1m
43 [process where event.action == "exec" and process.name:"ssh" and not process.parent.name in (
44 "rsync", "pyznap", "git", "ansible-playbook", "scp", "pgbackrest", "git-lfs", "expect", "Sourcetree", "ssh-copy-id",
45 "run"
46 )
47 ]
48 [network where process.name:"ssh" and event.action in ("connection_attempted", "connection_accepted") and
49 destination.port != 22 and destination.ip != "127.0.0.1" and network.transport: "tcp"
50 ]
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1571"
58name = "Non-Standard Port"
59reference = "https://attack.mitre.org/techniques/T1571/"
60
61
62[rule.threat.tactic]
63id = "TA0011"
64name = "Command and Control"
65reference = "https://attack.mitre.org/tactics/TA0011/"
References
-
G0099 APT-C-36 APT-C-36 has used port 4050 for C2 communications.[4] G0050 APT32 An APT32 backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor configura...
Read More
Related rules
- Apple Script Execution followed by Network Connection
- Bash Shell Profile Modification
- EggShell Backdoor Execution
- Elastic Agent Service Terminated
- Hosts File Modified