SSH over port 443 with known Server and Client Strings
Will detect the presence of known SSH client and SSH server strings that have been used for SSH tunneling.
Sigma rule (View on GitHub)
1title: SSH over port 443 with known Server and Client Strings
2id: 3c5791a2-8f29-413d-b511-90918ecb33b7
3status: experimental
4description: Will detect the presence of known SSH client and SSH server strings that have been used for SSH tunneling.
5author: iiamaleks,TheDFIRReport
6date: 2022-06-06
7modified: 2024-02-23
8references:
9 - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
10logsource:
11 product: zeek
12 service: ssh
13detection:
14 selection_port:
15 destination_port: 443
16 selection_ssh_client:
17 zeek_ssh_client: "SSH-2.0-PuTTY_Release_0.76"
18 selection_ssh_server:
19 zeek_ssh_server: "SSH-2.0-9.17 FlowSsh: Bitvise SSH Server (WinSSHD) 9.17"
20 condition: all of selection_*
21falsepositives:
22 - Unknown
23level: high
24tags:
25 - attack.command-and-control
26 - attack.t1572
References
-
In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files o…
Read More
Related rules
- Port Forwarding Activity Via SSH.EXE
- Cloudflared Tunnel Connections Cleanup
- Cloudflared Tunnel Execution
- Communication To LocaltoNet Tunneling Service Initiated
- Communication To LocaltoNet Tunneling Service Initiated - Linux