Techniques
Sample rules
Port Forwarding Activity Via SSH.EXE
- source: sigma
- technicques:
- t1021
- t1021.001
- t1021.004
- t1572
Description
Detects port forwarding activity via SSH.exe
Detection logic
condition: selection
selection:
CommandLine|contains|windash: ' -R '
Image|endswith: \ssh.exe
Suspicious Plink Port Forwarding
- source: sigma
- technicques:
- t1021
- t1021.001
- t1572
Description
Detects suspicious Plink tunnel port forwarding to a local port
Detection logic
condition: selection
selection:
CommandLine|contains: ' -R '
Description: Command-line SSH, Telnet, and Rlogin client