OpenSSH Server Listening On Socket
Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.
Sigma rule (View on GitHub)
1title: OpenSSH Server Listening On Socket
2id: 3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781
3status: test
4description: Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.
5references:
6 - https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH
7 - https://winaero.com/enable-openssh-server-windows-10/
8 - https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
9 - https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx
10 - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
11author: mdecrevoisier
12date: 2022/10/25
13tags:
14 - attack.lateral_movement
15 - attack.t1021.004
16logsource:
17 product: windows
18 service: openssh
19detection:
20 selection:
21 EventID: 4
22 process: sshd
23 payload|startswith: 'Server listening on '
24 condition: selection
25falsepositives:
26 - Legitimate administrator activity
27level: medium
References
Related rules
- Audit CVE Event
- Metasploit Or Impacket Service Installation Via SMB PsExec
- NTLM Logon
- Outgoing Logon with New Credentials
- RDP over Reverse SSH Tunnel WFP