SSH over port 443 with known Server and Client Strings

Will detect the presence of known SSH client and SSH server strings that have been used for SSH tunneling.

Sigma rule (View on GitHub)

 1title: SSH over port 443 with known Server and Client Strings
 2id: 3c5791a2-8f29-413d-b511-90918ecb33b7
 3status: experimental
 4description: Will detect the presence of known SSH client and SSH server strings that have been used for SSH tunneling.
 5author: iiamaleks,TheDFIRReport
 6date: 2022-06-06
 7modified: 2024-02-23
 8references:
 9  - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
10logsource:
11  product: zeek
12  service: ssh
13detection:
14  port:
15    destination_port: 443
16  ssh_client:
17    zeek_ssh_client: "SSH-2.0-PuTTY_Release_0.76"
18  ssh_server:
19    zeek_ssh_server: "SSH-2.0-9.17 FlowSsh: Bitvise SSH Server (WinSSHD) 9.17"
20  condition: port and ssh_client and ssh_server
21falsepositives:
22  - Unknown
23level: high
24tags:
25  - attack.command_and_control
26  - attack.t1572

References

Related rules

to-top