SSH over port 443 with known Server and Client Strings
Will detect the presence of known SSH client and SSH server strings that have been used for SSH tunneling.
Sigma rule (View on GitHub)
1title: SSH over port 443 with known Server and Client Strings
2id: 3c5791a2-8f29-413d-b511-90918ecb33b7
3status: experimental
4description: Will detect the presence of known SSH client and SSH server strings that have been used for SSH tunneling.
5author: iiamaleks,TheDFIRReport
6date: 2022-06-06
7modified: 2024-02-23
8references:
9 - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
10logsource:
11 product: zeek
12 service: ssh
13detection:
14 port:
15 destination_port: 443
16 ssh_client:
17 zeek_ssh_client: "SSH-2.0-PuTTY_Release_0.76"
18 ssh_server:
19 zeek_ssh_server: "SSH-2.0-9.17 FlowSsh: Bitvise SSH Server (WinSSHD) 9.17"
20 condition: port and ssh_client and ssh_server
21falsepositives:
22 - Unknown
23level: high
24tags:
25 - attack.command_and_control
26 - attack.t1572
References
Related rules
- Communication To Ngrok Tunneling Service Initiated
- Potential RDP Tunneling Via Plink
- Potential RDP Tunneling Via SSH
- PUA - 3Proxy Execution
- Cloudflared Tunnel Connections Cleanup