
Summary
This detection rule is designed to identify instances where the `ssh` utility is invoked to execute a shell on Linux systems. The rationale behind this detection stems from the potential security risks associated with executing shells through an SSH connection, as it can facilitate privilege escalation, unauthorized command execution, or the evasion of restricted shell environments. The detection logic comprises two main selections: one that identifies the use of the `ssh` command with specific command-line arguments indicative of potential risk behavior (e.g., using `ProxyCommand` or enabling `permitlocalcommand`), and another that checks for the invocation of various shell binaries through SSH. The rule triggers an alert when both selection criteria are met, indicating a suspicious use of `ssh` that warrants further investigation. This rule is particularly important for maintaining security in Linux environments where SSH is a common and powerful tool.
Categories
- Linux
- Network
- Endpoint
Data Sources
- Process
Created: 2024-08-29