DETECTION OVERVIEW

New Non-Standard SSH Port Activity

Risk Factors

SSH is a common target for attackers because it provides remote control access to other devices. An attacker can easily change a compromised device to communicate on a non-standard port to evade detection. While non-standard port traffic can be legitimate, these activities should be examined before they enable critical and costly attacks.

The system might change the risk score for this detection.

Kill Chain

Command-and-Control

Risk Score

Attack Background

The standard port for SSH traffic is port 22. To establish a secure command-and-control (C&C) channel, an attacker sets up an SSH server on a non-standard port. This port helps the attacker evade egress firewall rules, which prevent unauthorized SSH traffic from leaving the network. An attacker can then exfiltrate data from inside the network on this port.

Mitigation Options

Quarantine the client device while checking for indicators of compromise, such as the presence of malware
Block outbound connections to suspicious external hosts

Professional Services

Partners

Partner Login

Partner Finder

View All Use Cases

View All Industries

View All Integrations

Attack Background

Mitigation Options

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use cases