Skip to main content

High volume of outbound traffic over SSH

ID:high_volume_ssh
Data type:IP
Severity:
Informational
-
High
MITRE ATT&CK:TA0011:T1071

Description

AlphaSOC detected unusual outbound SSH (Secure Shell) traffic. SSH is commonly used for remote logins and file transfers. Threat actors often use OSI application layer protocols such as SSH to communicate with compromised systems within a victim's network. This allows them to blend malicious activity with legitimate traffic and avoid detection.

Impact

Unexpected outbound SSH traffic may indicate ongoing communication with a command and control (C2) server or an attempt to exfiltrate data. This can result in the loss of sensitive data, intellectual property theft, compliance violations, or the installation of additional malware. The encrypted nature of SSH traffic can make detection particularly difficult.

Severity

SeverityCondition
Informational
Suspicious outbound SSH traffic
Medium
Suspicious high-volume outbound SSH traffic
Medium
Uncommon port used
High
Suspicious outbound SSH traffic masquerading as a different port

Investigation and Remediation

Investigate the source and destination of the SSH traffic and verify whether it's authorized. Review logs for unusual login patterns, failed authentication attempts, or connections to unfamiliar hosts. Examine the involved systems for signs of suspicious SSH clients. If malicious activity is confirmed, isolate affected systems, terminate unauthorized connections, and conduct a thorough security assessment. Update SSH configurations, implement stronger authentication methods, and review network segmentation to prevent future incidents.

Known False Positives

  • Legitimate remote administration or file transfers by authorized personnel
  • Automated processes or scripts using SSH for scheduled tasks or backups
  • Development or testing activities involving SSH connections to external servers or cloud environments
  • VPNs or other secure communication methods that rely on SSH as the underlying protocol (e.g., SSH tunnels)