false-positives (fp) can appear if another remote terminal service is being used to connect to it's listener but typically ssh is used in these scenarios.

t1095
t1548
_deprecated
elastic

Techniques

T1095
T1548

Sample rules

Suspicious Network Connection Attempt by Root

source: elastic
technicques:
- T1095
- T1548

Description

Identifies an outbound network connection attempt followed by a session id change as the root user by the same process entity. This particular instantiation of a network connection is abnormal and should be investigated as it may indicate a potential reverse shell activity via a privileged process.

Detection logic

sequence by process.entity_id with maxspan=1m
[network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and user.id == "0" and
    not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd","/usr/bin/ssh","/usr/bin/sshpass")]
[process where host.os.type == "linux" and event.action == "session_id_change" and user.id == "0" and
    not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd","/usr/bin/ssh","/usr/bin/sshpass")]