kqlElastic-2.0from elastic/detection-rules

Unusual SSHD Child Process

Quality

FP risk

—

Forks

Views

ATT&CK techniques

T1133 T1546 T1546.004 T1021 T1021.004 T1563 T1563.001

Rule sourcerules/linux/persistence_unusual_sshd_child_process.toml

event.category:process and host.os.type:linux and event.type:start and event.action:(exec or ProcessRollup2) and
process.parent.name:sshd and process.args_count:2 and process.parent.args:"-D" and
not (
  process.command_line:(-bash or -zsh or -sh) or
  process.name:(ractrans or exectask or tty or tput or ferny-askpass or id or ip) or
  process.executable:/var/tmp/foreman-ssh-cmd*/script
)