Suspicious Plink Port Forwarding

 1title: Suspicious Plink Port Forwarding
 2id: 48a61b29-389f-4032-b317-b30de6b95314
 3status: test
 4description: Detects suspicious Plink tunnel port forwarding to a local port
 5references:
 6    - https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
 7    - https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
 8author: Florian Roth (Nextron Systems)
 9date: 2021-01-19
10modified: 2022-10-09
11tags:
12    - attack.command-and-control
13    - attack.t1572
14    - attack.lateral-movement
15    - attack.t1021.001
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        Description: 'Command-line SSH, Telnet, and Rlogin client'
22        CommandLine|contains: ' -R '
23    condition: selection
24falsepositives:
25    - Administrative activity using a remote port forwarding to a local port
26level: high

References

• https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/

  
  Read More

• Remote SSH Tunneling with Plink.exe

  

  We will demonstrate how we can create a remote ssh tunneling between a Windows Machine having a blocked service and a Linux Machine (Kali…

  
  Read More

Related rules

• Port Forwarding Activity Via SSH.EXE
• RDP Over Reverse SSH Tunnel
• RDP to HTTP or HTTPS Target Ports
• RDP over Reverse SSH Tunnel WFP
• Cisco Stage Data