heroui logo

Linux Restricted Shell Breakout via the SSH command

Elastic Detection Rules

View Source
Summary
This detection rule identifies potential abuse of the SSH (Secure Shell) command in Linux environments, specifically targeted towards users who might be attempting to escape from restricted environments. The main tactic here is to spawn an interactive system shell when using the SSH protocol, which deviates from its intended use in secure network access by system administrators and users. The rule employs EQL (Event Query Language) to monitor processes and capture suspicious activities where a shell (such as bash, sh, or dash) is initiated from the SSH parent process with specific arguments indicating potential misuse. The risk associated with such behavior is categorized as medium, reflecting the possible malicious intent to gain elevated access to the system. This rule is also aligned with the MITRE ATT&CK framework, specifically under the techniques related to Command and Scripting Interpreter and Unix Shell.
Categories
  • Linux
  • Endpoint
  • Infrastructure
Data Sources
  • Process
ATT&CK Techniques
  • T1059
  • T1059.004
Created: 2022-03-10