Suspicious Plink Port Forwarding

Detects suspicious Plink tunnel port forwarding to a local port

Sigma rule (View on GitHub)

 1title: Suspicious Plink Port Forwarding
 2id: 48a61b29-389f-4032-b317-b30de6b95314
 3status: test
 4description: Detects suspicious Plink tunnel port forwarding to a local port
 5references:
 6    - https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
 7    - https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
 8author: Florian Roth (Nextron Systems)
 9date: 2021/01/19
10modified: 2022/10/09
11tags:
12    - attack.command_and_control
13    - attack.t1572
14    - attack.lateral_movement
15    - attack.t1021.001
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        Description: 'Command-line SSH, Telnet, and Rlogin client'
22        CommandLine|contains: ' -R '
23    condition: selection
24falsepositives:
25    - Administrative activity using a remote port forwarding to a local port
26level: high

References

Related rules

to-top