← Back to SOC feed Coverage →

Program Executed Using Proxy/Local Command Via SSH.EXE

sigma MEDIUM SigmaHQ
T1218
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-20T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detect usage of the “ssh.exe” binary as a proxy to launch other programs.

Detection Rule

Sigma (Original)

title: Program Executed Using Proxy/Local Command Via SSH.EXE
id: 7d6d30b8-5b91-4b90-a891-46cccaf29598
status: test
description: Detect usage of the "ssh.exe" binary as a proxy to launch other programs.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Ssh/
    - https://github.com/LOLBAS-Project/LOLBAS/pull/211/files
    - https://gtfobins.github.io/gtfobins/ssh/
    - https://man.openbsd.org/ssh_config#ProxyCommand
    - https://man.openbsd.org/ssh_config#LocalCommand
author: frack113, Nasreddine Bencherchali
date: 2022-12-29
modified: 2025-10-16
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        # ParentCommandLine: '"C:\Windows\System32\OpenSSH\sshd.exe" -R'
        ParentImage: 'C:\Windows\System32\OpenSSH\sshd.exe'
    selection_cli_img:
        - Image|endswith: '\ssh.exe'
        - Product: 'OpenSSH for Windows'
        - Hashes|contains:
              - 'IMPHASH=55b4964d29aad5438b9e950052dbbbc0'
              - 'IMPHASH=334d66c33503ccbf647c15b47c27eef4'
              - 'IMPHASH=27b0da080ef92afb37983d30d839141e'
              - 'IMPHASH=977eb4c263d384e47daa0712d34713ab'
              - 'IMPHASH=3eaadce9ae43d5a918bb082065815c3b'
              - 'IMPHASH=980fe6cf0d996ab1eedf877222e722aa'
              - 'IMPHASH=5f959422308ac3d721010d66647e100e'
              - 'IMPHASH=a49aaa3d03d1cd9c8dc7fca60f7f480b'
              - 'IMPHASH=dd335f759b6d5d6a8382b71dd9d65791'
    selection_cli_flags:
        - CommandLine|contains: 'ProxyCommand='
        - CommandLine|contains|all:
              - 'PermitLocalCommand=yes'
              - ' LocalCommand'
    condition: selection_parent or all of selection_cli_*
falsepositives:
    - Legitimate usage for administration purposes
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where (ParentProcessName =~ "C:\\Windows\\System32\\OpenSSH\\sshd.exe" or ActingProcessName =~ "C:\\Windows\\System32\\OpenSSH\\sshd.exe") or ((TargetProcessName endswith "\\ssh.exe" or TargetProcessFileProduct =~ "OpenSSH for Windows" or (TargetProcessIMPHASH startswith "55b4964d29aad5438b9e950052dbbbc0" or TargetProcessIMPHASH startswith "334d66c33503ccbf647c15b47c27eef4" or TargetProcessIMPHASH startswith "27b0da080ef92afb37983d30d839141e" or TargetProcessIMPHASH startswith "977eb4c263d384e47daa0712d34713ab" or TargetProcessIMPHASH startswith "3eaadce9ae43d5a918bb082065815c3b" or TargetProcessIMPHASH startswith "980fe6cf0d996ab1eedf877222e722aa" or TargetProcessIMPHASH startswith "5f959422308ac3d721010d66647e100e" or TargetProcessIMPHASH startswith "a49aaa3d03d1cd9c8dc7fca60f7f480b" or TargetProcessIMPHASH startswith "dd335f759b6d5d6a8382b71dd9d65791")) and (TargetProcessCommandLine contains "ProxyCommand=" or (TargetProcessCommandLine contains "PermitLocalCommand=yes" and TargetProcessCommandLine contains " LocalCommand")))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml