Potential Remote Desktop Tunneling
Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
Sigma rule (View on GitHub)
1title: Potential Remote Desktop Tunneling
2id: 8a3038e8-9c9d-46f8-b184-66234a160f6f
3status: test
4description: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
5references:
6 - https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html
7author: Tim Rauch, Elastic (idea)
8date: 2022/09/27
9tags:
10 - attack.lateral_movement
11 - attack.t1021
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 CommandLine|contains: ':3389' # RDP port and usual SSH tunneling related switches in command line
18 selection_opt:
19 CommandLine|contains:
20 - ' -L '
21 - ' -P '
22 - ' -R '
23 - ' -pw '
24 - ' -ssh '
25 condition: all of selection*
26falsepositives:
27 - Unknown
28level: medium
References
-
Potential Remote Desktop Tunneling Detectededit Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network pac...
Read More
Related rules
- Privilege Escalation via Named Pipe Impersonation
- Possible Impacket DCOMExec Connection Attempt - Zeek
- Executable Deployment from Remote Share
- Access To ADMIN$ Network Share
- Metasploit SMB Authentication