潜在非标准端口 SSH 连接
编辑潜在非标准端口 SSH 连接
编辑识别可能存在恶意进程通过通常不与 SSH 关联的端口配对进行通信的情况。例如,通过端口 2200 或 2222 而不是传统的端口 22 使用 SSH。攻击者可能会更改协议使用的标准端口,以绕过过滤或混淆网络数据的分析/解析。
规则类型: eql
规则索引:
- logs-endpoint.events.*
严重性: 低
风险评分: 21
每隔: 5m 运行
搜索索引时间范围: now-9m (日期数学格式,另请参阅 额外回溯时间
)
每次执行的最大告警数: 100
参考:
标签:
- 领域:端点
- 操作系统:Linux
- 用例:威胁检测
- 战术:命令与控制
- 操作系统:macOS
- 数据源:Elastic Defend
版本: 6
规则作者:
- Elastic
规则许可证: Elastic License v2
规则查询
编辑sequence by process.entity_id with maxspan=1m [process where event.action == "exec" and process.name in ("ssh", "sshd") and not process.parent.name in ( "rsync", "pyznap", "git", "ansible-playbook", "scp", "pgbackrest", "git-lfs", "expect", "Sourcetree", "ssh-copy-id", "run" ) ] [network where process.name:"ssh" and event.action in ("connection_attempted", "connection_accepted") and destination.port != 22 and network.transport == "tcp" and not ( destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch( destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8" ) ) ]
框架: MITRE ATT&CKTM
-
战术
- 名称:命令与控制
- ID:TA0011
- 参考网址:https://attack.mitre.org/tactics/TA0011/
-
技术
- 名称:非标准端口
- ID:T1571
- 参考网址:https://attack.mitre.org/techniques/T1571/