Unusual SSHD Child Process

This rule detects the creation of an unusual SSHD child process through the usage of the new_terms rule type. Attackers may abuse SSH to maintain persistence on a compromised system, or to establish a backdoor for remote access, potentially resulting in an unusual SSHD child process being created.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/12/16"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects the creation of an unusual SSHD child process through the usage of the `new_terms` rule type.
 11Attackers may abuse SSH to maintain persistence on a compromised system, or to establish a backdoor for remote access,
 12potentially resulting in an unusual SSHD child process being created.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.process*"]
 16language = "kuery"
 17license = "Elastic License v2"
 18name = "Unusual SSHD Child Process"
 19references = ["https://hadess.io/the-art-of-linux-persistence/"]
 20risk_score = 47
 21rule_id = "4c3c6c47-e38f-4944-be27-5c80be973bd7"
 22severity = "medium"
 23tags = [
 24    "Domain: Endpoint",
 25    "OS: Linux",
 26    "Use Case: Threat Detection",
 27    "Tactic: Persistence",
 28    "Data Source: Elastic Defend",
 29    "Resources: Investigation Guide"
 30]
 31timestamp_override = "event.ingested"
 32type = "new_terms"
 33query = '''
 34event.category:process and host.os.type:linux and event.type:start and event.action:exec and
 35process.parent.name:(ssh or sshd) and process.args_count:2 and
 36not process.command_line:(-bash or -zsh or -sh)
 37'''
 38note = """## Triage and analysis
 39
 40> **Disclaimer**:
 41> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 42
 43### Investigating Unusual SSHD Child Process
 44
 45Secure Shell (SSH) is a protocol used to securely access remote systems. Adversaries may exploit SSH to maintain persistence or create backdoors by spawning unexpected child processes. The detection rule identifies anomalies by monitoring process creation events where SSH or SSHD is the parent, focusing on atypical command-line arguments, which may indicate malicious activity.
 46
 47### Possible investigation steps
 48
 49- Review the process command line arguments for the unusual SSHD child process to identify any suspicious or unexpected commands that could indicate malicious activity.
 50- Check the user account associated with the SSHD child process to determine if it is a legitimate user or if there are signs of compromise, such as unusual login times or locations.
 51- Investigate the parent process (SSH or SSHD) to understand the context of the connection, including the source IP address and any associated user activity, to assess if it aligns with expected behavior.
 52- Examine the process tree to identify any subsequent processes spawned by the unusual SSHD child process, which may provide further insight into the attacker's actions or objectives.
 53- Correlate the event with other security logs and alerts from the same host or network segment to identify any related suspicious activities or patterns that could indicate a broader attack campaign.
 54
 55### False positive analysis
 56
 57- Legitimate administrative scripts or automation tools may trigger this rule if they execute commands with SSH or SSHD as the parent process. To handle this, identify and document these scripts, then create exceptions for their specific command-line patterns.
 58- System maintenance tasks or updates that involve SSH connections might appear as unusual child processes. Regularly review and whitelist these known maintenance activities to prevent unnecessary alerts.
 59- Custom user environments or shell configurations that deviate from standard shells like bash, zsh, or sh could be flagged. Analyze these configurations and exclude them if they are verified as non-threatening.
 60- Monitoring tools or security solutions that interact with SSH sessions for logging or auditing purposes might generate alerts. Verify these tools' behavior and exclude their processes if they are part of legitimate monitoring activities.
 61
 62### Response and remediation
 63
 64- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
 65- Terminate any suspicious SSHD child processes identified by the alert to halt potential malicious activities.
 66- Conduct a thorough review of SSH configuration files and access logs to identify unauthorized changes or access patterns, and revert any unauthorized modifications.
 67- Change all SSH keys and credentials associated with the compromised system to prevent further unauthorized access.
 68- Implement additional monitoring on the affected system and related network segments to detect any further suspicious activities or attempts to re-establish persistence.
 69- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems may be affected.
 70- Review and update firewall rules and access controls to restrict SSH access to only trusted IP addresses and users, reducing the attack surface for future incidents."""
 71
 72[[rule.threat]]
 73framework = "MITRE ATT&CK"
 74
 75[[rule.threat.technique]]
 76id = "T1546"
 77name = "Event Triggered Execution"
 78reference = "https://attack.mitre.org/techniques/T1546/"
 79
 80[[rule.threat.technique.subtechnique]]
 81id = "T1546.004"
 82name = "Unix Shell Configuration Modification"
 83reference = "https://attack.mitre.org/techniques/T1546/004/"
 84
 85[rule.threat.tactic]
 86id = "TA0003"
 87name = "Persistence"
 88reference = "https://attack.mitre.org/tactics/TA0003/"
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92
 93[[rule.threat.technique]]
 94id = "T1021"
 95name = "Remote Services"
 96reference = "https://attack.mitre.org/techniques/T1021/"
 97
 98[[rule.threat.technique.subtechnique]]
 99id = "T1021.004"
100name = "SSH"
101reference = "https://attack.mitre.org/techniques/T1021/004/"
102
103[[rule.threat.technique]]
104id = "T1563"
105name = "Remote Service Session Hijacking"
106reference = "https://attack.mitre.org/techniques/T1563/"
107
108[[rule.threat.technique.subtechnique]]
109id = "T1563.001"
110name = "SSH Hijacking"
111reference = "https://attack.mitre.org/techniques/T1563/001/"
112
113[rule.threat.tactic]
114id = "TA0008"
115name = "Lateral Movement"
116reference = "https://attack.mitre.org/tactics/TA0008/"
117
118[[rule.threat]]
119framework = "MITRE ATT&CK"
120
121[rule.threat.tactic]
122id = "TA0011"
123name = "Command and Control"
124reference = "https://attack.mitre.org/tactics/TA0011/"
125
126[rule.new_terms]
127field = "new_terms_fields"
128value = ["process.executable"]
129
130[[rule.new_terms.history_window_start]]
131field = "history_window_start"
132value = "now-14d"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Unusual SSHD Child Process

Secure Shell (SSH) is a protocol used to securely access remote systems. Adversaries may exploit SSH to maintain persistence or create backdoors by spawning unexpected child processes. The detection rule identifies anomalies by monitoring process creation events where SSH or SSHD is the parent, focusing on atypical command-line arguments, which may indicate malicious activity.

Possible investigation steps

  • Review the process command line arguments for the unusual SSHD child process to identify any suspicious or unexpected commands that could indicate malicious activity.
  • Check the user account associated with the SSHD child process to determine if it is a legitimate user or if there are signs of compromise, such as unusual login times or locations.
  • Investigate the parent process (SSH or SSHD) to understand the context of the connection, including the source IP address and any associated user activity, to assess if it aligns with expected behavior.
  • Examine the process tree to identify any subsequent processes spawned by the unusual SSHD child process, which may provide further insight into the attacker's actions or objectives.
  • Correlate the event with other security logs and alerts from the same host or network segment to identify any related suspicious activities or patterns that could indicate a broader attack campaign.

False positive analysis

  • Legitimate administrative scripts or automation tools may trigger this rule if they execute commands with SSH or SSHD as the parent process. To handle this, identify and document these scripts, then create exceptions for their specific command-line patterns.
  • System maintenance tasks or updates that involve SSH connections might appear as unusual child processes. Regularly review and whitelist these known maintenance activities to prevent unnecessary alerts.
  • Custom user environments or shell configurations that deviate from standard shells like bash, zsh, or sh could be flagged. Analyze these configurations and exclude them if they are verified as non-threatening.
  • Monitoring tools or security solutions that interact with SSH sessions for logging or auditing purposes might generate alerts. Verify these tools' behavior and exclude their processes if they are part of legitimate monitoring activities.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
  • Terminate any suspicious SSHD child processes identified by the alert to halt potential malicious activities.
  • Conduct a thorough review of SSH configuration files and access logs to identify unauthorized changes or access patterns, and revert any unauthorized modifications.
  • Change all SSH keys and credentials associated with the compromised system to prevent further unauthorized access.
  • Implement additional monitoring on the affected system and related network segments to detect any further suspicious activities or attempts to re-establish persistence.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems may be affected.
  • Review and update firewall rules and access controls to restrict SSH access to only trusted IP addresses and users, reducing the attack surface for future incidents.

References

Related rules

to-top