
Summary
This detection rule monitors for potentially harmful commands executed through the Teleport SSH service. The rule is aimed at identifying suspicious activities that might indicate a compromise of the host. It flags commands considered dangerous based on their nature and the context in which they are executed. The rule is effective for capturing commands executed by users with elevated privileges, particularly through the use of the Teleport SSH service's audit logs. When a suspicious command is detected, the rule executes an analytic workflow that recommends an investigation into the command's legitimacy and the user’s intentions behind its execution. The examples included for testing highlight typical benign commands like 'echo' compared to more suspicious ones, such as 'netcat', allowing for clear differentiation during monitoring and alerting processes.
Categories
- Endpoint
- Infrastructure
- Cloud
Data Sources
- User Account
- Application Log
- Process
ATT&CK Techniques
- T1059
- T4000
Created: 2022-09-02