Program Executed Using Proxy/Local Command Via SSH.EXE

Detect usage of the "ssh.exe" binary as a proxy to launch other programs.

Sigma rule (View on GitHub)

 1title: Program Executed Using Proxy/Local Command Via SSH.EXE
 2id: 7d6d30b8-5b91-4b90-a891-46cccaf29598
 3status: test
 4description: Detect usage of the "ssh.exe" binary as a proxy to launch other programs.
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/Ssh/
 7    - https://github.com/LOLBAS-Project/LOLBAS/pull/211/files
 8    - https://gtfobins.github.io/gtfobins/ssh/
 9    - https://man.openbsd.org/ssh_config#ProxyCommand
10    - https://man.openbsd.org/ssh_config#LocalCommand
11author: frack113, Nasreddine Bencherchali
12date: 2022-12-29
13modified: 2023-01-25
14tags:
15    - attack.defense-evasion
16    - attack.t1218
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_parent:
22        # ParentCommandLine: '"C:\Windows\System32\OpenSSH\sshd.exe" -R'
23        ParentImage: 'C:\Windows\System32\OpenSSH\sshd.exe'
24    selection_cli_img:
25        Image|endswith: '\ssh.exe'
26    selection_cli_flags:
27        - CommandLine|contains: 'ProxyCommand='
28        - CommandLine|contains|all:
29              - 'PermitLocalCommand'
30              - 'LocalCommand'
31    condition: selection_parent or all of selection_cli_*
32falsepositives:
33    - Legitimate usage for administration purposes
34level: medium

References

Related rules

to-top