Detectionhightest

Potential RDP Tunneling Via SSH

Execution of ssh.exe to perform data exfiltration and tunneling through RDP

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems)Created Wed Oct 12Updated Wed Jan 25f7d7ebd5-a016-46e2-9c54-f9932f2d386dwindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: '\ssh.exe'
        CommandLine|contains: ':3389'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Techniques

Related Rules

Potential RDP Tunneling Via Plink

Execution of plink to perform data exfiltration and tunneling

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

f7d7ebd5-a016-46e2-9c54-f9932f2d386d

Status

test

Level

high

Type

Detection

Created

Wed Oct 12

Modified

Wed Jan 25

Author

Path

rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml

Raw Tags

attack.command-and-controlattack.t1572