Program Executed Using Proxy/Local Command Via SSH.EXE

calendar Jul 3, 2025 · attack.defense-evasion attack.t1218  ·
Share on: linkedin copy

Detect usage of the "ssh.exe" binary as a proxy to launch other programs.

Sigma rule (View on GitHub)

 1title: Program Executed Using Proxy/Local Command Via SSH.EXE
 2id: 7d6d30b8-5b91-4b90-a891-46cccaf29598
 3status: test
 4description: Detect usage of the "ssh.exe" binary as a proxy to launch other programs.
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/Ssh/
 7    - https://github.com/LOLBAS-Project/LOLBAS/pull/211/files
 8    - https://gtfobins.github.io/gtfobins/ssh/
 9    - https://man.openbsd.org/ssh_config#ProxyCommand
10    - https://man.openbsd.org/ssh_config#LocalCommand
11author: frack113, Nasreddine Bencherchali
12date: 2022-12-29
13modified: 2025-07-02
14tags:
15    - attack.defense-evasion
16    - attack.t1218
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_parent:
22        # ParentCommandLine: '"C:\Windows\System32\OpenSSH\sshd.exe" -R'
23        ParentImage: 'C:\Windows\System32\OpenSSH\sshd.exe'
24    selection_cli_img:
25        - Image|endswith: '\ssh.exe'
26        - Product: 'OpenSSH for Windows'
27        - Hashes|contains:
28              - 'IMPHASH=55b4964d29aad5438b9e950052dbbbc0'
29              - 'IMPHASH=334d66c33503ccbf647c15b47c27eef4'
30              - 'IMPHASH=27b0da080ef92afb37983d30d839141e'
31              - 'IMPHASH=977eb4c263d384e47daa0712d34713ab'
32              - 'IMPHASH=3eaadce9ae43d5a918bb082065815c3b'
33              - 'IMPHASH=980fe6cf0d996ab1eedf877222e722aa'
34              - 'IMPHASH=5f959422308ac3d721010d66647e100e'
35              - 'IMPHASH=a49aaa3d03d1cd9c8dc7fca60f7f480b'
36              - 'IMPHASH=dd335f759b6d5d6a8382b71dd9d65791'
37    selection_cli_flags:
38        - CommandLine|contains: 'ProxyCommand='
39        - CommandLine|contains|all:
40              - 'PermitLocalCommand'
41              - 'LocalCommand'
42    condition: selection_parent or all of selection_cli_*
43falsepositives:
44    - Legitimate usage for administration purposes
45level: medium

References

  • Ssh on LOLBAS

    ssh.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

  • Create Ssh.yml by febou92 · Pull Request #211 · LOLBAS-Project/LOLBAS

    Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) - Create Ssh.yml by febou92 · Pull Request #211 · LOLBAS-Project/LOLBAS


    Read More

  • ssh | GTFOBins

    .. / ssh Shell File upload File download File read Sudo Shell It can be used to break out from restricted environments by spawning an interactive system shell. Reconnecting may help bypassing restr...


    Read More

  • ssh_config(5) - OpenBSD manual pages

    ssh(1) obtains configuration data from the following sources in the following order: Unless noted otherwise, for each parameter, the first obtained value will be used. The configuration files conta...


    Read More

  • ssh_config(5) - OpenBSD manual pages

    ssh(1) obtains configuration data from the following sources in the following order: Unless noted otherwise, for each parameter, the first obtained value will be used. The configuration files conta...


    Read More

Related rules

to-top