Techniques
Sample rules
Program Executed Using Proxy/Local Command Via SSH.EXE
- source: sigma
- technicques:
- t1218
Description
Detect usage of the “ssh.exe” binary as a proxy to launch other programs.
Detection logic
condition: selection_parent or all of selection_cli_*
selection_cli_flags:
- CommandLine|contains: ProxyCommand=
- CommandLine|contains|all:
- PermitLocalCommand
- LocalCommand
selection_cli_img:
- Image|endswith: \ssh.exe
- Product: OpenSSH for Windows
- Hashes|contains:
- IMPHASH=55b4964d29aad5438b9e950052dbbbc0
- IMPHASH=334d66c33503ccbf647c15b47c27eef4
- IMPHASH=27b0da080ef92afb37983d30d839141e
- IMPHASH=977eb4c263d384e47daa0712d34713ab
- IMPHASH=3eaadce9ae43d5a918bb082065815c3b
- IMPHASH=980fe6cf0d996ab1eedf877222e722aa
- IMPHASH=5f959422308ac3d721010d66647e100e
- IMPHASH=a49aaa3d03d1cd9c8dc7fca60f7f480b
- IMPHASH=dd335f759b6d5d6a8382b71dd9d65791
selection_parent:
ParentImage: C:\Windows\System32\OpenSSH\sshd.exe
New Generic Credentials Added Via Cmdkey.EXE
- source: sigma
- technicques:
- t1003
- t1003.005
Description
Detects usage of “cmdkey.exe” to add generic credentials. As an example, this can be used before connecting to an RDP session via command line interface.
Detection logic
condition: all of selection_*
selection_cli_generic:
CommandLine|contains|windash: ' -g'
selection_cli_password:
CommandLine|contains|windash: ' -p'
selection_cli_user:
CommandLine|contains|windash: ' -u'
selection_img:
- Image|endswith: \cmdkey.exe
- OriginalFileName: cmdkey.exe