Suspicious SSH session masquerading as a different protocol
Description
AlphaSOC detected unusual outbound SSH (Secure Shell) traffic. SSH is commonly used for remote logins and file transfers. Threat actors often use OSI application layer protocols such as SSH to communicate with compromised systems within a victim's network. This allows them to blend malicious activity with legitimate traffic and avoid detection.
Impact
Unexpected outbound SSH traffic may indicate ongoing communication with a command and control (C2) server or an attempt to exfiltrate data. This can result in the loss of sensitive data, intellectual property theft, compliance violations, or the installation of additional malware. The encrypted nature of SSH traffic can make detection particularly difficult.
Severity
Severity | Condition |
---|---|
Informational | Suspicious outbound SSH traffic |
Medium | Suspicious high-volume outbound SSH traffic |
Medium | Uncommon port used |
High | Suspicious outbound SSH traffic masquerading as a different port |
Investigation and Remediation
Investigate the source and destination of the SSH traffic and verify whether it's authorized. Review logs for unusual login patterns, failed authentication attempts, or connections to unfamiliar hosts. Examine the involved systems for signs of suspicious SSH clients. If malicious activity is confirmed, isolate affected systems, terminate unauthorized connections, and conduct a thorough security assessment. Update SSH configurations, implement stronger authentication methods, and review network segmentation to prevent future incidents.
Known False Positives
- Legitimate remote administration or file transfers by authorized personnel
- Automated processes or scripts using SSH for scheduled tasks or backups
- Development or testing activities involving SSH connections to external servers or cloud environments
- VPNs or other secure communication methods that rely on SSH as the underlying protocol (e.g., SSH tunnels)