security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity

Merge PR #5181 from @swachchhanda000 - update SSH proxy execution rule

Browse Source 
update: Program Executed Using Proxy/Local Command Via SSH.EXE - add Imphash and OriginalFileName

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
This commit is contained in:
Swachchhanda Shrawan Poudel
2025-07-03 13:25:29 +05:45
committed by GitHub
parent e597e13d6c
commit 7a81b073e0
1 changed files with 13 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml
+13 -2
View File
@@ -10,7 +10,7 @@ references:
- https://man.openbsd.org/ssh_config#LocalCommand
author: frack113, Nasreddine Bencherchali
date: 2022-12-29
modified: 2023-01-25
modified: 2025-07-02
tags:
- attack.defense-evasion
- attack.t1218
@@ -22,7 +22,18 @@ detection:
# ParentCommandLine: '"C:\Windows\System32\OpenSSH\sshd.exe" -R'
ParentImage: 'C:\Windows\System32\OpenSSH\sshd.exe'
selection_cli_img:
Image|endswith: '\ssh.exe'
- Image|endswith: '\ssh.exe'
- Product: 'OpenSSH for Windows'
- Hashes|contains:
- 'IMPHASH=55b4964d29aad5438b9e950052dbbbc0'
- 'IMPHASH=334d66c33503ccbf647c15b47c27eef4'
- 'IMPHASH=27b0da080ef92afb37983d30d839141e'
- 'IMPHASH=977eb4c263d384e47daa0712d34713ab'
- 'IMPHASH=3eaadce9ae43d5a918bb082065815c3b'
- 'IMPHASH=980fe6cf0d996ab1eedf877222e722aa'
- 'IMPHASH=5f959422308ac3d721010d66647e100e'
- 'IMPHASH=a49aaa3d03d1cd9c8dc7fca60f7f480b'
- 'IMPHASH=dd335f759b6d5d6a8382b71dd9d65791'
selection_cli_flags:
- CommandLine|contains: 'ProxyCommand='
- CommandLine|contains|all: