Program Executed Using Proxy/Local Command Via SSH.EXE
Detect usage of the "ssh.exe" binary as a proxy to launch other programs.
Sigma rule (View on GitHub)
1title: Program Executed Using Proxy/Local Command Via SSH.EXE
2id: 7d6d30b8-5b91-4b90-a891-46cccaf29598
3status: test
4description: Detect usage of the "ssh.exe" binary as a proxy to launch other programs.
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Ssh/
7 - https://github.com/LOLBAS-Project/LOLBAS/pull/211/files
8 - https://gtfobins.github.io/gtfobins/ssh/
9 - https://man.openbsd.org/ssh_config#ProxyCommand
10 - https://man.openbsd.org/ssh_config#LocalCommand
11author: frack113, Nasreddine Bencherchali
12date: 2022-12-29
13modified: 2025-07-02
14tags:
15 - attack.defense-evasion
16 - attack.t1218
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_parent:
22 # ParentCommandLine: '"C:\Windows\System32\OpenSSH\sshd.exe" -R'
23 ParentImage: 'C:\Windows\System32\OpenSSH\sshd.exe'
24 selection_cli_img:
25 - Image|endswith: '\ssh.exe'
26 - Product: 'OpenSSH for Windows'
27 - Hashes|contains:
28 - 'IMPHASH=55b4964d29aad5438b9e950052dbbbc0'
29 - 'IMPHASH=334d66c33503ccbf647c15b47c27eef4'
30 - 'IMPHASH=27b0da080ef92afb37983d30d839141e'
31 - 'IMPHASH=977eb4c263d384e47daa0712d34713ab'
32 - 'IMPHASH=3eaadce9ae43d5a918bb082065815c3b'
33 - 'IMPHASH=980fe6cf0d996ab1eedf877222e722aa'
34 - 'IMPHASH=5f959422308ac3d721010d66647e100e'
35 - 'IMPHASH=a49aaa3d03d1cd9c8dc7fca60f7f480b'
36 - 'IMPHASH=dd335f759b6d5d6a8382b71dd9d65791'
37 selection_cli_flags:
38 - CommandLine|contains: 'ProxyCommand='
39 - CommandLine|contains|all:
40 - 'PermitLocalCommand'
41 - 'LocalCommand'
42 condition: selection_parent or all of selection_cli_*
43falsepositives:
44 - Legitimate usage for administration purposes
45level: medium
References
Related rules
- Hidden Flag Set On File/Directory Via Chflags - MacOS
- PowerShell MSI Install via WindowsInstaller COM From Remote Location
- Potential Exploitation of RCE Vulnerability CVE-2025-33053
- Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
- Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access