From 7a81b073e06c26db2eec1de60a3a1289f110a248 Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Thu, 3 Jul 2025 13:25:29 +0545 Subject: [PATCH] Merge PR #5181 from @swachchhanda000 - update SSH proxy execution rule update: Program Executed Using Proxy/Local Command Via SSH.EXE - add Imphash and OriginalFileName --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_ssh_proxy_execution.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml b/rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml index 521b89ba0..738fd6d36 100644 --- a/rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml @@ -10,7 +10,7 @@ references: - https://man.openbsd.org/ssh_config#LocalCommand author: frack113, Nasreddine Bencherchali date: 2022-12-29 -modified: 2023-01-25 +modified: 2025-07-02 tags: - attack.defense-evasion - attack.t1218 @@ -22,7 +22,18 @@ detection: # ParentCommandLine: '"C:\Windows\System32\OpenSSH\sshd.exe" -R' ParentImage: 'C:\Windows\System32\OpenSSH\sshd.exe' selection_cli_img: - Image|endswith: '\ssh.exe' + - Image|endswith: '\ssh.exe' + - Product: 'OpenSSH for Windows' + - Hashes|contains: + - 'IMPHASH=55b4964d29aad5438b9e950052dbbbc0' + - 'IMPHASH=334d66c33503ccbf647c15b47c27eef4' + - 'IMPHASH=27b0da080ef92afb37983d30d839141e' + - 'IMPHASH=977eb4c263d384e47daa0712d34713ab' + - 'IMPHASH=3eaadce9ae43d5a918bb082065815c3b' + - 'IMPHASH=980fe6cf0d996ab1eedf877222e722aa' + - 'IMPHASH=5f959422308ac3d721010d66647e100e' + - 'IMPHASH=a49aaa3d03d1cd9c8dc7fca60f7f480b' + - 'IMPHASH=dd335f759b6d5d6a8382b71dd9d65791' selection_cli_flags: - CommandLine|contains: 'ProxyCommand=' - CommandLine|contains|all: