Lolbin Ssh.exe Use As Proxy

 1title: Lolbin Ssh.exe Use As Proxy
 2id: 7d6d30b8-5b91-4b90-a891-46cccaf29598
 3status: test
 4description: Detect usage of the "ssh.exe" binary as a proxy to launch other programs
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/Ssh/
 7    - https://github.com/LOLBAS-Project/LOLBAS/pull/211/files
 8    - https://gtfobins.github.io/gtfobins/ssh/
 9    - https://man.openbsd.org/ssh_config#ProxyCommand
10    - https://man.openbsd.org/ssh_config#LocalCommand
11author: frack113, Nasreddine Bencherchali
12date: 2022/12/29
13modified: 2023/01/25
14tags:
15    - attack.defense_evasion
16    - attack.t1202
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_parent:
22        # ParentCommandLine: '"C:\Windows\System32\OpenSSH\sshd.exe" -R'
23        ParentImage: 'C:\Windows\System32\OpenSSH\sshd.exe'
24    selection_cli_img:
25        Image|endswith: '\ssh.exe'
26    selection_cli_flags:
27        - CommandLine|contains: 'ProxyCommand='
28        - CommandLine|contains|all:
29              - 'PermitLocalCommand'
30              - 'LocalCommand'
31    condition: selection_parent or all of selection_cli_*
32falsepositives:
33    - Legitimate usage for administration purposes
34level: medium

References

• Ssh | LOLBAS

  Execute calc.exe on host machine. The prompt for password can be eliminated by adding the host's public key in the user's authorized_keys file. Adversaries can do the same for execution on remote m...

  
  Read More

• Create Ssh.yml by febou92 · Pull Request #211 · LOLBAS-Project/LOLBAS

  

  Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) - Create Ssh.yml by febou92 · Pull Request #211 · LOLBAS-Project/LOLBAS

  
  Read More

• ssh | GTFOBins

  .. / ssh Shell File upload File download File read Sudo Shell It can be used to break out from restricted environments by spawning an interactive system shell. Reconnecting may help bypassing restr...

  
  Read More

• ssh_config(5) - OpenBSD manual pages

  ssh(1) obtains configuration data from the following sources in the following order: Unless noted otherwise, for each parameter, the first obtained value will be used. The configuration files conta...

  
  Read More

• ssh_config(5) - OpenBSD manual pages

  ssh(1) obtains configuration data from the following sources in the following order: Unless noted otherwise, for each parameter, the first obtained value will be used. The configuration files conta...

  
  Read More

Related rules

• Potentially Suspicious Child Process Of VsCode
• Potentially Suspicious Office Document Executed From Trusted Location
• Potential Arbitrary File Download Using Office Application
• Renamed PAExec Execution
• Suspicious Child Process Of BgInfo.EXE