Potential RDP Tunneling Via SSH
Execution of ssh.exe to perform data exfiltration and tunneling through RDP
Sigma rule (View on GitHub)
1title: Potential RDP Tunneling Via SSH
2id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d
3related:
4 - id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da # plink.exe
5 type: similar
6status: test
7description: Execution of ssh.exe to perform data exfiltration and tunneling through RDP
8references:
9 - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/10/12
12modified: 2023/01/25
13tags:
14 - attack.command_and_control
15 - attack.t1572
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|endswith: '\ssh.exe'
22 CommandLine|contains: ':3389'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
-
Privilege escalation always comes down to proper enumeration. But to accomplish proper enumeration you need to know what to check and look for. This takes familiarity with systems that normally comes along with experience. At first privilege escalation can seem like a daunting task, but after a while you start...
Read More
Related rules
- Potential RDP Tunneling Via Plink
- PUA - 3Proxy Execution
- Cloudflared Tunnel Connections Cleanup
- Cloudflared Tunnel Execution
- Communication To Ngrok Tunneling Service - Linux