From fdc969385afaa1a5fc8713d7268fa6f2ae8fcd74 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Tue, 19 Jan 2021 12:39:28 +0100
Subject: [PATCH] rule: plink anomaly rules

---
 .../sysmon_susp_plink_non_standard_port.yml   | 27 +++++++++++++++++++
 .../sysmon_susp_plink_remote_forward.yml      | 26 ++++++++++++++++++
 2 files changed, 53 insertions(+)
 create mode 100644 rules/windows/network_connection/sysmon_susp_plink_non_standard_port.yml
 create mode 100644 rules/windows/network_connection/sysmon_susp_plink_remote_forward.yml

diff --git a/rules/windows/network_connection/sysmon_susp_plink_non_standard_port.yml b/rules/windows/network_connection/sysmon_susp_plink_non_standard_port.yml
new file mode 100644
index 000000000..677545b2c
--- /dev/null
+++ b/rules/windows/network_connection/sysmon_susp_plink_non_standard_port.yml
@@ -0,0 +1,27 @@
+title: Suspicious Plink Non-Standard Port
+id: 576131ea-77e3-4f8e-ab39-f0bcbcc7c68c
+status: experimental
+description: Detects suspicious Plink use to a port that is not Port 22/tcp (default for SSH)
+references:
+    - https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
+    - https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
+author: Florian Roth
+date: 2021/01/19
+tags:
+    - attack.command_and_control
+    - attack.t1572
+    - attack.lateral_movement
+    - attack.t1021.001
+logsource:
+    category: network_connection
+    product: windows
+detection:
+    selection:
+        Description: 'Command-line SSH, Telnet, and Rlogin client'
+        Initiated: 'true'
+    filter:
+        DestinationPort: 22
+    condition: selection and not filter
+falsepositives:
+    - Environments in which SSH servers don't run on port 22/tcp
+level: high
diff --git a/rules/windows/network_connection/sysmon_susp_plink_remote_forward.yml b/rules/windows/network_connection/sysmon_susp_plink_remote_forward.yml
new file mode 100644
index 000000000..632d3037f
--- /dev/null
+++ b/rules/windows/network_connection/sysmon_susp_plink_remote_forward.yml
@@ -0,0 +1,26 @@
+title: Suspicious Plink Remote Forwarding
+id: 48a61b29-389f-4032-b317-b30de6b95314
+status: experimental
+description: Detects suspicious Plink tunnel remote forarding to a local port
+references:
+    - https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
+    - https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
+author: Florian Roth
+date: 2021/01/19
+tags:
+    - attack.command_and_control
+    - attack.t1572
+    - attack.lateral_movement
+    - attack.t1021.001
+logsource:
+    category: network_connection
+    product: windows
+detection:
+    selection:
+        Description: 'Command-line SSH, Telnet, and Rlogin client'
+        Initiated: 'true'
+        CommandLine|contains: ' -R '
+    condition: selection
+falsepositives:
+    - Administrative activity using a remote port forwarding to a local port
+level: high