Techniques
Sample rules
Lolbin Ssh.exe Use As Proxy
- source: sigma
- technicques:
- t1202
Description
Detect usage of the “ssh.exe” binary as a proxy to launch other programs
Detection logic
condition: selection_parent or all of selection_cli_*
selection_cli_flags:
- CommandLine|contains: ProxyCommand=
- CommandLine|contains|all:
- PermitLocalCommand
- LocalCommand
selection_cli_img:
Image|endswith: \ssh.exe
selection_parent:
ParentImage: C:\Windows\System32\OpenSSH\sshd.exe
New Generic Credentials Added Via Cmdkey.EXE
- source: sigma
- technicques:
- t1003
- t1003.005
Description
Detects usage of “cmdkey.exe” to add generic credentials. As an example, this can be used before connecting to an RDP session via command line interface.
Detection logic
condition: all of selection_*
selection_cli_generic:
CommandLine|contains|windash: ' -g'
selection_cli_password:
CommandLine|contains|windash: ' -p'
selection_cli_user:
CommandLine|contains|windash: ' -u'
selection_img:
- Image|endswith: \cmdkey.exe
- OriginalFileName: cmdkey.exe