« Unusual Remote File Size Unusual Service Host Child Process - Childless Service »
Elastic Docs Elastic Security Solution [8.17] Detections and alerts Prebuilt rule reference

Unusual SSHD Child Process

edit

Unusual SSHD Child Process

edit

This rule detects the creation of an unusual SSHD child process through the usage of the new_terms rule type. Attackers may abuse SSH to maintain persistence on a compromised system, or to establish a backdoor for remote access, potentially resulting in an unusual SSHD child process being created.

Rule type: new_terms

Rule indices:

  • logs-endpoint.events.process*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Persistence
  • Data Source: Elastic Defend

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
event.category:process and host.os.type:linux and event.type:start and event.action:exec and
process.parent.name:(ssh or sshd) and process.args_count:2 and
not process.command_line:(-bash or -zsh or -sh)

Framework: MITRE ATT&CKTM

« Unusual Remote File Size Unusual Service Host Child Process - Childless Service »