Potential RDP Tunneling Via SSH
Execution of ssh.exe to perform data exfiltration and tunneling through RDP
Sigma rule (View on GitHub)
1title: Potential RDP Tunneling Via SSH
2id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d
3related:
4 - id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da # plink.exe
5 type: similar
6status: test
7description: Execution of ssh.exe to perform data exfiltration and tunneling through RDP
8references:
9 - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-10-12
12modified: 2023-01-25
13tags:
14 - attack.command-and-control
15 - attack.t1572
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|endswith: '\ssh.exe'
22 CommandLine|contains: ':3389'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
-
Privilege escalation always comes down to proper enumeration. But to accomplish proper enumeration you need to know what to check and look for. This takes familiarity with systems that normally comes along with experience. At first privilege escalation can seem like a daunting task, but after a while you start...
Read More
Related rules
- Communication To LocaltoNet Tunneling Service Initiated
- Communication To LocaltoNet Tunneling Service Initiated - Linux
- Communication To Ngrok Tunneling Service - Linux
- Communication To Ngrok Tunneling Service Initiated
- PUA - 3Proxy Execution