The Backdoored ssh rule detects potential adversary use of a compromised or malicious SSH implementation to gain unauthorized access to systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate stealthy persistence mechanisms that may evade traditional detection methods.
YARA Rule
rule Backdoored_ssh {
meta:
author = "Kaspersky"
reference = "https://securelist.com/energetic-bear-crouching-yeti/85345/"
actor = "Energetic Bear/Crouching Yeti"
strings:
$a1 = "OpenSSH"
$a2 = "usage: ssh"
$a3 = "HISTFILE"
condition:
uint32(0) == 0x464c457f and filesize<1000000 and all of ($a*)
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled System Maintenance via SSH
Description: A system administrator uses SSH to perform routine maintenance tasks, such as updating packages or checking system logs.
Filter/Exclusion: Exclude SSH connections initiated from known admin IPs during scheduled maintenance windows using src_ip or src_user fields.
Scenario: Remote Database Backup via SSH Tunnel
Description: A database administrator uses an SSH tunnel to securely transfer backups from a remote server to a local backup system.
Filter/Exclusion: Exclude SSH connections that involve port forwarding (-L or -R options) and are associated with known backup tools like pg_dump or mysqldump.
Scenario: SSH Agent Forwarding for Development Access
Description: A developer uses SSH agent forwarding to access internal development environments from their local machine.
Filter/Exclusion: Exclude SSH sessions where ForwardAgent is enabled and the user is a known developer with access to internal development tools like kubectl or docker.
Scenario: Automated CI/CD Pipeline Deployment via SSH
Description: A CI/CD pipeline uses SSH to deploy code to a production server, often through a script or tool like Ansible or Jenkins.
Filter/Exclusion: Exclude SSH connections initiated by known CI/CD agents or service accounts, using user or command fields to identify deployment scripts.
Scenario: SSH Access for Monitoring Tools
Description: A monitoring tool like Nagios or Zabbix uses SSH to check the status of remote servers or execute scripts.
Filter/Exclusion: Exclude SSH connections where the command includes monitoring-related scripts or tools, using the command field to identify known monitoring utilities.