
Summary
This detection rule identifies the invocation of SSH (Secure Shell) processes within a containerized environment on Linux systems. Both the SSH client (`ssh`) and server daemon (`sshd`) are monitored, as their usage—including commands like `autossh`—is atypical in container setups, which raises security concerns. The rule aims to highlight potential lateral movement or persistence risks, as attackers may leverage SSH for unauthorized access across containers or to the host. It processes events marked as starts (`event.type == 'start'`) and executions (`event.action == 'exec'`) of SSH-related processes, initiated from within a container. Given that SSH can be legitimately used in some setups, false positive analysis and triage processes are outlined to help security teams effectively respond to alerts generated by this rule. Effective monitoring and restrictive policies are encouraged to mitigate risks associated with SSH usage in container environments.
Categories
- Containers
- Linux
- Cloud
- Endpoint
Data Sources
- Container
- Process
- Application Log
ATT&CK Techniques
- T1021
- T1021.004
- T1133
Created: 2025-03-12