Potential Non-Standard Port SSH connectionedit
Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Linux
- Threat Detection
- Command and Control
- macOS
Version: 1
Added (Elastic Stack release): 8.6.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positivesedit
SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination whitelisted ports for such legitimate ssh activities.
Rule queryedit
sequence by process.entity_id with maxspan=1m [process where event.action == "exec" and process.name:"ssh"] [network where process.name:"ssh" and event.action in ("connection_attempted", "connection_accepted") and destination.port != 22 and destination.ip != "127.0.0.1" and network.transport: "tcp" ]
Threat mappingedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Non-Standard Port
- ID: T1571
- Reference URL: https://attack.mitre.org/techniques/T1571/