rule: plink anomaly rules

rules/windows/network_connection/sysmon_susp_plink_non_standard_port.yml

@@ -0,0 +1,27 @@
+title: Suspicious Plink Non-Standard Port
+id: 576131ea-77e3-4f8e-ab39-f0bcbcc7c68c
+status: experimental
+description: Detects suspicious Plink use to a port that is not Port 22/tcp (default for SSH)
+references:
+    - https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
+    - https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
+author: Florian Roth
+date: 2021/01/19
+tags:
+    - attack.command_and_control
+    - attack.t1572
+    - attack.lateral_movement
+    - attack.t1021.001
+logsource:
+    category: network_connection
+    product: windows
+detection:
+    selection:
+        Description: 'Command-line SSH, Telnet, and Rlogin client'
+        Initiated: 'true'
+    filter:
+        DestinationPort: 22
+    condition: selection and not filter
+falsepositives:
+    - Environments in which SSH servers don't run on port 22/tcp
+level: high

rules/windows/network_connection/sysmon_susp_plink_remote_forward.yml

@@ -0,0 +1,26 @@
+title: Suspicious Plink Remote Forwarding
+id: 48a61b29-389f-4032-b317-b30de6b95314
+status: experimental
+description: Detects suspicious Plink tunnel remote forarding to a local port
+references:
+    - https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
+    - https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
+author: Florian Roth
+date: 2021/01/19
+tags:
+    - attack.command_and_control
+    - attack.t1572
+    - attack.lateral_movement
+    - attack.t1021.001
+logsource:
+    category: network_connection
+    product: windows
+detection:
+    selection:
+        Description: 'Command-line SSH, Telnet, and Rlogin client'
+        Initiated: 'true'
+        CommandLine|contains: ' -R '
+    condition: selection
+falsepositives:
+    - Administrative activity using a remote port forwarding to a local port
+level: high