this is not a common command to be executed. filter as needed.

t1021.004
endpoint
splunk

Techniques

T1021.004

Sample rules

Linux SSH Remote Services Script Execute

source: splunk
technicques:
- T1021.004

Description

The following analytic identifies SSH being utilized to move laterally and execute a script or file on the remote host.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where  Processes.process_name=ssh Processes.process IN ("*oStrictHostKeyChecking*", "*oConnectTimeout*", "*oBatchMode*") AND Processes.process IN ("*http:*","*https:*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_ssh_remote_services_script_execute_filter`