Techniques
Sample rules
Linux SSH Remote Services Script Execute
- source: splunk
- technicques:
- T1021.004
Description
The following analytic identifies SSH being utilized to move laterally and execute a script or file on the remote host.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ssh Processes.process IN ("*oStrictHostKeyChecking*", "*oConnectTimeout*", "*oBatchMode*") AND Processes.process IN ("*http:*","*https:*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_ssh_remote_services_script_execute_filter`