[metadata] creation_date = "2024/12/16" integration = ["endpoint"] maturity = "production" updated_date = "2024/12/16" [rule] author = ["Elastic"] description = """ This rule detects the creation of an unusual SSHD child process through the usage of the `new_terms` rule type. Attackers may abuse SSH to maintain persistence on a compromised system, or to establish a backdoor for remote access, potentially resulting in an unusual SSHD child process being created. """ from = "now-9m" index = ["logs-endpoint.events.process*"] language = "kuery" license = "Elastic License v2" name = "Unusual SSHD Child Process" references = ["https://hadess.io/the-art-of-linux-persistence/"] risk_score = 47 rule_id = "4c3c6c47-e38f-4944-be27-5c80be973bd7" severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "new_terms" query = ''' event.category:process and host.os.type:linux and event.type:start and event.action:exec and process.parent.name:(ssh or sshd) and process.args_count:2 and not process.command_line:(-bash or -zsh or -sh) ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" [[rule.threat.technique.subtechnique]] id = "T1546.004" name = "Unix Shell Configuration Modification" reference = "https://attack.mitre.org/techniques/T1546/004/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" reference = "https://attack.mitre.org/techniques/T1563/" [[rule.threat.technique.subtechnique]] id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d"