IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Login via Unusual System User My First Rule »
Elastic Docs Elastic Security Solution [8.15] Downloadable rule update v8.15.13

Unusual SSHD Child Process

edit

Unusual SSHD Child Process

edit

This rule detects the creation of an unusual SSHD child process through the usage of the new_terms rule type. Attackers may abuse SSH to maintain persistence on a compromised system, or to establish a backdoor for remote access, potentially resulting in an unusual SSHD child process being created.

Rule type: new_terms

Rule indices:

  • logs-endpoint.events.process*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Persistence
  • Data Source: Elastic Defend

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
event.category:process and host.os.type:linux and event.type:start and event.action:exec and
process.parent.name:(ssh or sshd) and process.args_count:2 and
not process.command_line:(-bash or -zsh or -sh)

Framework: MITRE ATT&CKTM

« Login via Unusual System User My First Rule »