IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Potential Linux Ransomware Note Creation Detected Potential Linux Tunneling and/or Port Forwarding »
Elastic Docs Elastic Security Solution [8.8] Detections and alerts Prebuilt rule reference

Potential Linux SSH X11 Forwarding

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Potential Linux SSH X11 Forwarding

edit

This rule monitors for X11 forwarding via SSH. X11 forwarding is a feature that allows users to run graphical applications on a remote server and display the application’s graphical user interface on their local machine. Attackers can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert communication channels, enabling lateral movement and facilitating remote control of systems within a network.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*

Severity: low

Risk score: 21

Runs every: 60m

Searches indices from: now-119m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Command and Control
  • Data Source: Elastic Defend
  • Rule Type: BBR

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
process.name in ("ssh", "sshd") and process.args in ("-X", "-Y") and process.args_count >= 3 and
process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")

Framework: MITRE ATT&CKTM

« Potential Linux Ransomware Note Creation Detected Potential Linux Tunneling and/or Port Forwarding »