OpenSSH Server Listening On Socket

 1title: OpenSSH Server Listening On Socket
 2id: 3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781
 3status: test
 4description: Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.
 5references:
 6    - https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH
 7    - https://winaero.com/enable-openssh-server-windows-10/
 8    - https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
 9    - https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx
10    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
11author: mdecrevoisier
12date: 2022/10/25
13tags:
14    - attack.lateral_movement
15    - attack.t1021.004
16logsource:
17    product: windows
18    service: openssh
19detection:
20    selection:
21        EventID: 4
22        process: sshd
23        payload|startswith: 'Server listening on '
24    condition: selection
25falsepositives:
26    - Legitimate administrator activity
27level: medium

References

• EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH at master · mdecrevoisier/EVTX-to-MITRE-Attack

  

  Set of EVTX samples (>270) mapped to MITRE ATT&CK tactic and techniques to measure your SIEM coverage or developed new use cases. - mdecrevoisier/EVTX-to-MITRE-Attack

  
  Read More

• How to Enable OpenSSH Server in Windows 10

  

  As you may already know, Windows 10 includes built-in SSH software - both a client and a server. Here is how to enable the SSH server.

  
  Read More

• Get started with OpenSSH for Windows

  

  Learn how to install and connect to remote machines using the OpenSSH Client and Server for Windows.

  
  Read More

• SSH Server on Windows 10 -- Virtualization Review

  

  Tom Fenton, delighted to discover that Microsoft now includes an SSH server with Windows 10 that unfortunately is not enabled or configured by default, shows you how to do so.

  
  Read More

• Detecting Adversary Tradecraft with Image Load Event Logging and EQL

  

  While examining some malicious Microsoft Office and PE files to look for detection opportunities, I came across a few samples where…

  
  Read More

Related rules

• Audit CVE Event
• Metasploit Or Impacket Service Installation Via SMB PsExec
• NTLM Logon
• Outgoing Logon with New Credentials
• RDP over Reverse SSH Tunnel WFP