Port Forwarding Activity Via SSH.EXE

Detects port forwarding activity via SSH.exe

Sigma rule (View on GitHub)

 1title: Port Forwarding Activity Via SSH.EXE
 2id: 327f48c1-a6db-4eb8-875a-f6981f1b0183
 3status: experimental
 4description: Detects port forwarding activity via SSH.exe
 5references:
 6    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022/10/12
 9modified: 2024/03/05
10tags:
11    - attack.command_and_control
12    - attack.lateral_movement
13    - attack.t1572
14    - attack.t1021.001
15    - attack.t1021.004
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        Image|endswith: '\ssh.exe'
22        CommandLine|contains|windash: ' -R '
23    condition: selection
24falsepositives:
25    - Administrative activity using a remote port forwarding to a local port
26level: medium

References

Related rules

to-top