Elastic Security Detection Rules

Potential Non-Standard Port SSH connection

Last updated a month ago on 2024-10-18
Created 2 years ago on 2022-10-18

About

Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Command and ControlOS: macOSData Source: Elastic Defend
Severity
low
Risk Score
21
MITRE ATT&CK™

Command and Control (TA0011)(opens in a new tab or window)

Non-Standard Port (T1571)(opens in a new tab or window)

False Positive Examples
SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination whitelisted ports for such legitimate ssh activities.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.*
Related Integrations

endpoint(opens in a new tab or window)

Query
sequence by process.entity_id with maxspan=1m
  [process where event.action == "exec" and process.name in ("ssh", "sshd") and not process.parent.name in (
   "rsync", "pyznap", "git", "ansible-playbook", "scp", "pgbackrest", "git-lfs", "expect", "Sourcetree", "ssh-copy-id",
   "run"
   )
  ]
  [network where process.name:"ssh" and event.action in ("connection_attempted", "connection_accepted") and 
   destination.port != 22 and network.transport == "tcp" and not (
     destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch(
       destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
       "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
       "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
       "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
       "FF00::/8"
     )
   )
  ]

Install detection rules in Elastic Security

Detect Potential Non-Standard Port SSH connection in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).