DETECTION OVERVIEW

Remote Control SSH Traffic

Risk Factors

Attackers often establish command-and-control (C&C) channels through SSH tunneling to maintain control of a compromised device. The presence of a C&C channel on your network indicates that an attacker might be conducting a persistent attack. The ultimate objective of a persistent attack, such as data exfiltration, could have a significant impact on a business or organization.

The system might change the risk score for this detection.

Kill Chain

Actions on Objective

Risk Score

Attack Background

After an attacker installs malware on a victim, the malware might establish or accept an SSH connection from a C&C server, enabling the attacker to securely send malicious commands to the victim.

Because IT administrators often remotely manage devices through a shell, investigate to confirm that the shell activity is legitimate.

Mitigation Options

Configure firewalls to block outbound traffic to suspicious external hosts

Remove or prohibit unnecessary network utilities that enable users to easily create shells for most programming languages

Provision devices to communicate over authorized interfaces

Review access controls to ensure that only necessary users can connect to remote access services

Implement network segmentation and firewall policies to limit how devices can communicate and enforce security zones

Professional Services

Partners

Partner Login

Partner Finder

View All Use Cases

View All Industries

View All Integrations

Attack Background

Mitigation Options

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use cases