Port Forwarding Activity Via SSH.EXE

Hunt Hypothesis

Detects port forwarding activity via SSH.exe

Detection Rule

Sigma (Original)

title: Port Forwarding Activity Via SSH.EXE
id: 327f48c1-a6db-4eb8-875a-f6981f1b0183
status: test
description: Detects port forwarding activity via SSH.exe
references:
    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-12
modified: 2024-03-05
tags:
    - attack.command-and-control
    - attack.lateral-movement
    - attack.t1572
    - attack.t1021.001
    - attack.t1021.004
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\ssh.exe'
        CommandLine|contains|windash: ' -R '
    condition: selection
falsepositives:
    - Administrative activity using a remote port forwarding to a local port
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessName endswith "\\ssh.exe" and (TargetProcessCommandLine contains " -R " or TargetProcessCommandLine contains " /R " or TargetProcessCommandLine contains " –R " or TargetProcessCommandLine contains " —R " or TargetProcessCommandLine contains " ―R ")

Required Data Sources

Sentinel Table	Notes
`imProcessCreate`	Ensure this data connector is enabled

False Positive Guidance

Administrative activity using a remote port forwarding to a local port

MITRE ATT&CK Context

Tactic: Command and Control
Tactic: Lateral Movement
Technique: T1572 — T1572
Technique: T1021.001 — T1021.001
Technique: T1021.004 — T1021.004

Port Forwarding Activity Via SSH.EXE

Hunt Hypothesis

Detection Rule

Sigma (Original)

KQL (Azure Sentinel)

Required Data Sources

False Positive Guidance

MITRE ATT&CK Context

References