Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

OpenSSH Server Listening On Socket

Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
mdecrevoisierCreated Tue Oct 253ce8e9a4-bc61-4c9b-8e69-d7e2492a8781windows
Log Source
Windowsopenssh
ProductWindows← raw: windows
Serviceopenssh← raw: openssh
Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventID: 4
        process: sshd
        payload|startswith: 'Server listening on '
    condition: selection
False Positives

Legitimate administrator activity

References
1
Resolving title…
github.com
2
Resolving title…
winaero.com
3
Resolving title…
learn.microsoft.com
4
Resolving title…
virtualizationreview.com
5
Resolving title…
medium.com
MITRE ATT&CK

Sub-techniques

T1021.004 · SSH
Rule Metadata
Rule ID
3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781
Status
test
Level
medium
Type
Detection
Created
Tue Oct 25
Author
mdecrevoisier
Path
rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml
Raw Tags
attack.lateral-movementattack.t1021.004
View on GitHub