Port Forwarding Activity Via SSH.EXE
Detects port forwarding activity via SSH.exe
Sigma rule (View on GitHub)
1title: Port Forwarding Activity Via SSH.EXE
2id: 327f48c1-a6db-4eb8-875a-f6981f1b0183
3status: experimental
4description: Detects port forwarding activity via SSH.exe
5references:
6 - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/10/12
9modified: 2023/11/06
10tags:
11 - attack.command_and_control
12 - attack.lateral_movement
13 - attack.t1572
14 - attack.t1021.001
15 - attack.t1021.004
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|endswith: '\ssh.exe'
22 CommandLine|contains:
23 - ' -R '
24 - ' /R '
25 condition: selection
26falsepositives:
27 - Administrative activity using a remote port forwarding to a local port
28level: medium
References
-
Privilege escalation always comes down to proper enumeration. But to accomplish proper enumeration you need to know what to check and look for. This takes familiarity with systems that normally comes along with experience. At first privilege escalation can seem like a daunting task, but after a while you start...
Read More
Related rules
- RDP to HTTP or HTTPS Target Ports
- Suspicious Plink Port Forwarding
- RDP Over Reverse SSH Tunnel
- RDP over Reverse SSH Tunnel WFP
- Hermetic Wiper TG Process Patterns