Port Forwarding Activity Via SSH.EXE
Detects port forwarding activity via SSH.exe
Sigma rule (View on GitHub)
1title: Port Forwarding Activity Via SSH.EXE
2id: 327f48c1-a6db-4eb8-875a-f6981f1b0183
3status: experimental
4description: Detects port forwarding activity via SSH.exe
5references:
6 - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-10-12
9modified: 2024-03-05
10tags:
11 - attack.command-and-control
12 - attack.lateral-movement
13 - attack.t1572
14 - attack.t1021.001
15 - attack.t1021.004
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|endswith: '\ssh.exe'
22 CommandLine|contains|windash: ' -R '
23 condition: selection
24falsepositives:
25 - Administrative activity using a remote port forwarding to a local port
26level: medium
References
-
Privilege escalation always comes down to proper enumeration. But to accomplish proper enumeration you need to know what to check and look for. This takes familiarity with systems that normally comes along with experience. At first privilege escalation can seem like a daunting task, but after a while you start...
Read More
Related rules
- RDP Over Reverse SSH Tunnel
- RDP to HTTP or HTTPS Target Ports
- Suspicious Plink Port Forwarding
- RDP over Reverse SSH Tunnel WFP
- Bitbucket Global SSH Settings Changed