Lolbin Ssh.exe Use As Proxy
Detect usage of the "ssh.exe" binary as a proxy to launch other programs
Sigma rule (View on GitHub)
1title: Lolbin Ssh.exe Use As Proxy
2id: 7d6d30b8-5b91-4b90-a891-46cccaf29598
3status: test
4description: Detect usage of the "ssh.exe" binary as a proxy to launch other programs
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Ssh/
7 - https://github.com/LOLBAS-Project/LOLBAS/pull/211/files
8 - https://gtfobins.github.io/gtfobins/ssh/
9 - https://man.openbsd.org/ssh_config#ProxyCommand
10 - https://man.openbsd.org/ssh_config#LocalCommand
11author: frack113, Nasreddine Bencherchali
12date: 2022/12/29
13modified: 2023/01/25
14tags:
15 - attack.defense_evasion
16 - attack.t1202
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_parent:
22 # ParentCommandLine: '"C:\Windows\System32\OpenSSH\sshd.exe" -R'
23 ParentImage: 'C:\Windows\System32\OpenSSH\sshd.exe'
24 selection_cli_img:
25 Image|endswith: '\ssh.exe'
26 selection_cli_flags:
27 - CommandLine|contains: 'ProxyCommand='
28 - CommandLine|contains|all:
29 - 'PermitLocalCommand'
30 - 'LocalCommand'
31 condition: selection_parent or all of selection_cli_*
32falsepositives:
33 - Legitimate usage for administration purposes
34level: medium
References
Related rules
- Potentially Suspicious Child Process Of VsCode
- Potentially Suspicious Office Document Executed From Trusted Location
- Potential Arbitrary File Download Using Office Application
- Renamed PAExec Execution
- Suspicious Child Process Of BgInfo.EXE