Adversaries may invoke shell commands via SSH to execute arbitrary code on Linux systems, leveraging T1059 to maintain persistence or exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and mitigate lateral movement risks.
Detection Rule
title: Shell Invocation Via Ssh - Linux
id: 8737b7f6-8df3-4bb7-b1da-06019b99b687
status: test
description: |
Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/ssh/
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-08-29
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/ssh'
CommandLine|contains:
- 'ProxyCommand=;'
- 'permitlocalcommand=yes'
- 'localhost'
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
- 'sh 0<&2 1>&2'
- 'sh 1>&2 0<&2'
condition: all of selection_*
falsepositives:
- Unknown
level: high
imProcessCreate
| where (TargetProcessName endswith "/ssh" and (TargetProcessCommandLine contains "ProxyCommand=;" or TargetProcessCommandLine contains "permitlocalcommand=yes" or TargetProcessCommandLine contains "localhost")) and (TargetProcessCommandLine contains "/bin/bash" or TargetProcessCommandLine contains "/bin/dash" or TargetProcessCommandLine contains "/bin/fish" or TargetProcessCommandLine contains "/bin/sh" or TargetProcessCommandLine contains "/bin/zsh" or TargetProcessCommandLine contains "sh 0<&2 1>&2" or TargetProcessCommandLine contains "sh 1>&2 0<&2")Scenario: System Administration via SSH for Remote Maintenance
Description: A system administrator uses SSH to connect to a Linux server and runs commands like ssh user@remote_host 'sudo apt update && sudo apt upgrade' as part of routine maintenance.
Filter/Exclusion: Exclude processes initiated by known admin users (e.g., root, admin, sysadmin) or filter by command-line arguments containing apt, yum, or dnf.
Scenario: Scheduled Job Execution via SSH
Description: A cron job or systemd timer is configured to execute a script over SSH to another server, such as ssh user@backup-server 'rsync /data /backup' for data replication.
Filter/Exclusion: Exclude processes with command-line arguments containing rsync, scp, or ssh used in scheduled tasks (e.g., via /etc/cron.d/ or systemd.timer).
Scenario: Secure Remote Debugging Session
Description: A developer uses SSH to connect to a production server and runs gdb or strace to debug a service, such as ssh user@server 'gdb --ex=bt /usr/bin/myapp'.
Filter/Exclusion: Exclude processes with command-line arguments containing gdb, strace, or ltrace and filter by user accounts typically used for development (e.g., dev, debug).
Scenario: SSH Tunnel Setup for Internal Services
Description: An engineer sets up an SSH tunnel using ssh -L 8080:localhost:80 user@remote-server to access an internal service securely.
Filter/Exclusion: Exclude processes with command-line arguments containing -L, -R, or -D (SSH tunnel options) and filter by user accounts associated