Potential Non-Standard Port SSH connection

Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2022/10/18"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For
 11example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the
 12standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.
 13"""
 14false_positives = [
 15    """
 16    SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such
 17    uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and
 18    noisy in your environment, consider adding exceptions — preferably with a combination whitelisted ports for such
 19    legitimate ssh activities.
 20    """,
 21]
 22from = "now-9m"
 23index = ["logs-endpoint.events.*"]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "Potential Non-Standard Port SSH connection"
 27references = ["https://attack.mitre.org/techniques/T1571/"]
 28risk_score = 21
 29rule_id = "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9"
 30severity = "low"
 31tags = [
 32    "Domain: Endpoint",
 33    "OS: Linux",
 34    "Use Case: Threat Detection",
 35    "Tactic: Command and Control",
 36    "OS: macOS",
 37    "Data Source: Elastic Defend",
 38    "Resources: Investigation Guide",
 39]
 40type = "eql"
 41query = '''
 42sequence by process.entity_id with maxspan=1m
 43  [process where event.action == "exec" and process.name in ("ssh", "sshd") and not process.parent.name in (
 44   "rsync", "pyznap", "git", "ansible-playbook", "scp", "pgbackrest", "git-lfs", "expect", "Sourcetree", "ssh-copy-id",
 45   "run"
 46   )
 47  ]
 48  [network where process.name:"ssh" and event.action in ("connection_attempted", "connection_accepted") and
 49   destination.port != 22 and network.transport == "tcp" and not (
 50     destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch(
 51       destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
 52       "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
 53       "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
 54       "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
 55       "FF00::/8"
 56     )
 57   )
 58  ]
 59'''
 60note = """## Triage and analysis
 61
 62> **Disclaimer**:
 63> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 64
 65### Investigating Potential Non-Standard Port SSH connection
 66
 67SSH is a protocol used for secure remote access and management of systems. Typically, it operates over port 22. However, adversaries may exploit non-standard ports to evade detection and bypass network filters. The detection rule identifies unusual SSH activity by monitoring processes and network connections on ports other than 22, excluding common benign use cases, to flag potential threats.
 68
 69### Possible investigation steps
 70
 71- Review the process details, including process.entity_id and process.name, to confirm the execution of SSH or SSHD processes and identify any unusual parent processes not listed in the exclusion list.
 72- Examine the network connection details, focusing on destination.port to verify the use of non-standard ports for SSH connections and assess if these ports are commonly used within the organization.
 73- Analyze the destination.ip to determine if the connection is being made to an external or potentially malicious IP address, especially if it falls outside the specified CIDR ranges.
 74- Investigate the context of the SSH connection attempt by checking for any recent changes in network configurations or firewall rules that might explain the use of non-standard ports.
 75- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity.
 76
 77### False positive analysis
 78
 79- Legitimate administrative tools like rsync, git, and ansible-playbook may use SSH over non-standard ports for valid operations. Ensure these tools are included in the process.parent.name exclusion list to prevent false positives.
 80- Backup and synchronization applications such as pyznap and pgbackrest might use SSH on non-standard ports. Add these applications to the exclusion list to avoid unnecessary alerts.
 81- Development and deployment tools like Sourcetree and git-lfs may establish SSH connections on non-standard ports during routine operations. Verify these tools are part of the exclusion criteria to minimize false positives.
 82- Custom scripts or automation tasks that use SSH on non-standard ports for internal processes should be reviewed and, if deemed safe, added to the exclusion list to reduce noise.
 83- Internal network traffic to non-public IP ranges might be flagged if not properly excluded. Ensure that internal IP ranges are correctly specified in the cidrmatch exclusion to prevent false positives.
 84
 85### Response and remediation
 86
 87- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
 88- Terminate any suspicious SSH processes identified on non-standard ports to halt potential malicious activity.
 89- Conduct a thorough review of the system's SSH configuration files to identify unauthorized changes, such as modifications to the SSH port settings, and revert them to the standard configuration.
 90- Reset credentials for any accounts accessed via the non-standard port to prevent further unauthorized access.
 91- Implement network-level controls to block SSH traffic on non-standard ports unless explicitly required and documented for legitimate use cases.
 92- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 93- Enhance monitoring and alerting for SSH connections on non-standard ports across the network to improve early detection of similar threats in the future."""
 94
 95[[rule.threat]]
 96framework = "MITRE ATT&CK"
 97
 98[[rule.threat.technique]]
 99id = "T1571"
100name = "Non-Standard Port"
101reference = "https://attack.mitre.org/techniques/T1571/"
102
103[rule.threat.tactic]
104id = "TA0011"
105name = "Command and Control"
106reference = "https://attack.mitre.org/tactics/TA0011/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Potential Non-Standard Port SSH connection

SSH is a protocol used for secure remote access and management of systems. Typically, it operates over port 22. However, adversaries may exploit non-standard ports to evade detection and bypass network filters. The detection rule identifies unusual SSH activity by monitoring processes and network connections on ports other than 22, excluding common benign use cases, to flag potential threats.

Possible investigation steps

  • Review the process details, including process.entity_id and process.name, to confirm the execution of SSH or SSHD processes and identify any unusual parent processes not listed in the exclusion list.
  • Examine the network connection details, focusing on destination.port to verify the use of non-standard ports for SSH connections and assess if these ports are commonly used within the organization.
  • Analyze the destination.ip to determine if the connection is being made to an external or potentially malicious IP address, especially if it falls outside the specified CIDR ranges.
  • Investigate the context of the SSH connection attempt by checking for any recent changes in network configurations or firewall rules that might explain the use of non-standard ports.
  • Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity.

False positive analysis

  • Legitimate administrative tools like rsync, git, and ansible-playbook may use SSH over non-standard ports for valid operations. Ensure these tools are included in the process.parent.name exclusion list to prevent false positives.
  • Backup and synchronization applications such as pyznap and pgbackrest might use SSH on non-standard ports. Add these applications to the exclusion list to avoid unnecessary alerts.
  • Development and deployment tools like Sourcetree and git-lfs may establish SSH connections on non-standard ports during routine operations. Verify these tools are part of the exclusion criteria to minimize false positives.
  • Custom scripts or automation tasks that use SSH on non-standard ports for internal processes should be reviewed and, if deemed safe, added to the exclusion list to reduce noise.
  • Internal network traffic to non-public IP ranges might be flagged if not properly excluded. Ensure that internal IP ranges are correctly specified in the cidrmatch exclusion to prevent false positives.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
  • Terminate any suspicious SSH processes identified on non-standard ports to halt potential malicious activity.
  • Conduct a thorough review of the system's SSH configuration files to identify unauthorized changes, such as modifications to the SSH port settings, and revert them to the standard configuration.
  • Reset credentials for any accounts accessed via the non-standard port to prevent further unauthorized access.
  • Implement network-level controls to block SSH traffic on non-standard ports unless explicitly required and documented for legitimate use cases.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
  • Enhance monitoring and alerting for SSH connections on non-standard ports across the network to improve early detection of similar threats in the future.

References

Related rules

to-top