32 lines
1.0 KiB
YAML
32 lines
1.0 KiB
YAML
title: Suspicious Plink Remote Forwarding
|
|
author: Florian Roth
|
|
date: 2021/01/19
|
|
description: Detects suspicious Plink tunnel remote forarding to a local port
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1
|
|
SELECTION_2:
|
|
Description: Command-line SSH, Telnet, and Rlogin client
|
|
SELECTION_3:
|
|
CommandLine: '* -R *'
|
|
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
|
|
falsepositives:
|
|
- Administrative activity using a remote port forwarding to a local port
|
|
id: 48a61b29-389f-4032-b317-b30de6b95314
|
|
level: high
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
references:
|
|
- https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
|
|
- https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
|
|
status: experimental
|
|
tags:
|
|
- attack.command_and_control
|
|
- attack.t1572
|
|
- attack.lateral_movement
|
|
- attack.t1021.001
|
|
yml_filename: sysmon_susp_plink_remote_forward.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
|
|
|