OpenSSH
5 events across 3 channels
Event ID 1 — %1: %2.
Message
Fields
| Name | Description |
|---|---|
process | — |
payload | — |
Event ID 2 — %1: %2.
Message
Fields
| Name | Description |
|---|---|
process | — |
payload | — |
Example Event
system:
provider: OpenSSH
guid: C4B57D35-0636-4BC3-A262-370F249F9802
event_source_name: ''
event_id: 2
version: 0
level: 2
task: 0
opcode: 0
keywords: 9223372036854775808
time_created: '2023-10-25T22:48:38.752876+00:00'
event_record_id: 8
correlation: {}
execution:
process_id: 2320
thread_id: 1048
channel: OpenSSH/Admin
computer: WinDevEval
security:
user_id: S-1-5-18
event_data:
process: sshd
payload: 'error: kex_exchange_identification: Connection closed by remote host'
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 3 — %1: %2.
Message
Fields
| Name | Description |
|---|---|
process | — |
payload | — |
Event ID 4 — %1: %2.
Message
Fields
| Name | Description |
|---|---|
process | — |
payload | — |
Example Event
system:
provider: OpenSSH
guid: C4B57D35-0636-4BC3-A262-370F249F9802
event_source_name: ''
event_id: 4
version: 0
level: 4
task: 0
opcode: 0
keywords: 4611686018427387904
time_created: '2023-10-25T22:56:14.223049+00:00'
event_record_id: 40
correlation: {}
execution:
process_id: 3136
thread_id: 3384
channel: OpenSSH/Operational
computer: WinDevEval
security:
user_id: S-1-5-18
event_data:
process: sshd
payload: Received signal 8; terminating.
message: ''
Sigma Rules
- OpenSSH Server Listening On Socket
Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 6 — %1: %2.
Message
Fields
| Name | Description |
|---|---|
process | — |
payload | — |