Potential RDP Tunneling Via Plink
Execution of plink to perform data exfiltration and tunneling
Sigma rule (View on GitHub)
1title: Potential RDP Tunneling Via Plink
2id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da
3related:
4 - id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d # ssh.exe
5 type: similar
6status: test
7description: Execution of plink to perform data exfiltration and tunneling
8references:
9 - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
10author: Florian Roth (Nextron Systems)
11date: 2022-08-04
12modified: 2023-01-27
13tags:
14 - attack.command-and-control
15 - attack.t1572
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_a:
21 Image|endswith: '\plink.exe'
22 CommandLine|contains: ':127.0.0.1:3389'
23 selection_b1:
24 Image|endswith: '\plink.exe'
25 CommandLine|contains: ':3389'
26 selection_b2:
27 CommandLine|contains:
28 - ' -P 443'
29 - ' -P 22'
30 condition: selection_a or all of selection_b*
31falsepositives:
32 - Unknown
33level: high
References
Related rules
- Cloudflared Tunnel Connections Cleanup
- Cloudflared Tunnel Execution
- Communication To LocaltoNet Tunneling Service Initiated
- Communication To LocaltoNet Tunneling Service Initiated - Linux
- Communication To Ngrok Tunneling Service - Linux