Potential RDP Tunneling Via Plink

Jan 29, 2024 · attack.command_and_control attack.t1572 ·

Execution of plink to perform data exfiltration and tunneling

Sigma rule (View on GitHub)

 1title: Potential RDP Tunneling Via Plink
 2id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da
 3related:
 4    - id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d # ssh.exe
 5      type: similar
 6status: test
 7description: Execution of plink to perform data exfiltration and tunneling
 8references:
 9    - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
10author: Florian Roth (Nextron Systems)
11date: 2022/08/04
12modified: 2023/01/27
13tags:
14    - attack.command_and_control
15    - attack.t1572
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_a:
21        Image|endswith: '\plink.exe'
22        CommandLine|contains: ':127.0.0.1:3389'
23    selection_b1:
24        Image|endswith: '\plink.exe'
25        CommandLine|contains: ':3389'
26    selection_b2:
27        CommandLine|contains:
28            - ' -P 443'
29            - ' -P 22'
30    condition: selection_a or all of selection_b*
31falsepositives:
32    - Unknown
33level: high

References

https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/

Read More

Potential RDP Tunneling Via Plink

Sigma rule (View on GitHub)

References

https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/

Related rules