このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect a resource connecting to many external hosts through SSH.
Strategy
Malware that brute forces SSH logins may act as a worm and use the compromised host to brute force other hosts. This can be identified by a large number of SSH connections to many different public IP addresses.
Triage and response
- Review the destination IP addresses. Determine if the host is expected to make outbound SSH connections.
- Review system authentication logs. Resources exhibiting this behavior are often compromised by SSH brute forcing.
- Review Related Signals and relevant logs for additional malicious activity.
- Repair the root cause of the compromise.
This detection is based on data from Network Performance Monitoring.
