潜在非标准端口 SSH 连接

编辑

识别可能存在恶意进程通过通常不与 SSH 关联的端口配对进行通信的情况。例如,通过端口 2200 或 2222 而不是传统的端口 22 使用 SSH。攻击者可能会更改协议使用的标准端口,以绕过过滤或混淆网络数据的分析/解析。

规则类型: eql

规则索引:

  • logs-endpoint.events.*

严重性: 低

风险评分: 21

每隔: 5m 运行

搜索索引时间范围: now-9m (日期数学格式,另请参阅 额外回溯时间)

每次执行的最大告警数: 100

参考:

标签:

  • 领域:端点
  • 操作系统:Linux
  • 用例:威胁检测
  • 战术:命令与控制
  • 操作系统:macOS
  • 数据源:Elastic Defend

版本: 6

规则作者:

  • Elastic

规则许可证: Elastic License v2

规则查询

编辑
sequence by process.entity_id with maxspan=1m
  [process where event.action == "exec" and process.name in ("ssh", "sshd") and not process.parent.name in (
   "rsync", "pyznap", "git", "ansible-playbook", "scp", "pgbackrest", "git-lfs", "expect", "Sourcetree", "ssh-copy-id",
   "run"
   )
  ]
  [network where process.name:"ssh" and event.action in ("connection_attempted", "connection_accepted") and
   destination.port != 22 and network.transport == "tcp" and not (
     destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch(
       destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
       "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
       "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
       "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
       "FF00::/8"
     )
   )
  ]

框架: MITRE ATT&CKTM