Techniques
Sample rules
SSH (Secure Shell) from the Internet
- source: elastic
- technicques:
- T1021
- T1190
Description
This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.
Detection logic
event.category:(network or network_traffic) and network.transport:tcp and (destination.port:22 or event.dataset:zeek.ssh) and
not source.ip:(
10.0.0.0/8 or
127.0.0.0/8 or
169.254.0.0/16 or
172.16.0.0/12 or
192.168.0.0/16 or
224.0.0.0/4 or
"::1" or
"FE80::/10" or
"FF00::/8"
) and
destination.ip:(
10.0.0.0/8 or
172.16.0.0/12 or
192.168.0.0/16
)