Rare SSH Session

The
Rare SSH Session
Analytics alert indicates that a process performed a rare Secure Shell (SSH) session using NT AUTHORITY\SYSTEM privileges to a remote endpoint and port.

Synopsis

10 minutes
3 days
14 days
10 minutes
Cortex XDR agent endpoint data
Severity
Low

Description

A process performed a rare Secure Shell (SSH) session using NT AUTHORITY\SYSTEM privileges to a remote endpoint and port. For additional context, this alert identifies the full command used to start the session and the total number of endpoints on which the command was run in the last 14 days.

Attacker's Goals

Secure Shell (SSH) provides a secure means of remote administration. Attackers can use valid SSH credentials and keys to remotely connect to endpoints running the SSH service.

Recommended For You