Adversaries may intercept SSH connections to capture credentials and exfiltrate sensitive information. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft and early-stage compromise attempts.
YARA Rule
rule hacktool_multi_jtesta_ssh_mitm
{
meta:
description = "intercepts ssh connections to capture credentials"
reference = "https://github.com/jtesta/ssh-mitm"
author = "@fusionrace"
id = "c44ca655-71f8-50d6-b0ec-9a85434d780f"
strings:
$a1 = "INTERCEPTED PASSWORD:" wide ascii
$a2 = "more sshbuf problems." wide ascii
condition:
all of ($a*)
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: System administrator uses ssh to connect to a remote server for routine maintenance.
Filter/Exclusion: Exclude connections from known admin IP ranges or user agents associated with administrative tasks (e.g., user = root or user = admin).
Scenario: A scheduled job runs via cron to fetch data from a remote server using ssh.
Filter/Exclusion: Exclude connections initiated by cron or systemd services (e.g., command_line LIKE '%cron%' or command_line LIKE '%systemd%').
Scenario: A developer uses ssh to connect to a development environment for code deployment.
Filter/Exclusion: Exclude connections to development servers or hosts with a specific naming convention (e.g., host_name LIKE '%dev%' or host_name LIKE '%test%').
Scenario: A backup tool like rsync or borgbackup uses ssh for secure file transfer.
Filter/Exclusion: Exclude connections initiated by backup tools (e.g., command_line LIKE '%rsync%' or command_line LIKE '%borgbackup%').
Scenario: An internal monitoring tool like Prometheus or Grafana uses ssh to access metrics from a remote agent.
Filter/Exclusion: Exclude connections from monitoring tools (e.g., command_line LIKE '%prometheus%' or command_line LIKE '%grafana%').