LOLBAS/yml/OSBinaries/Ssh.yml

Name: ssh.exe
Description: Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices.
Author: 'Akshat Pradhan'
Created: '2021-11-08'
Commands:
  - Command: ssh localhost calc.exe
    Description: Execute calc.exe on host machine. The prompt for password can be eliminated by adding the host's public key in the user's authorized_keys file. Adversaries can do the same for execution on remote machines.
    Usecase: Execute specified command, can be used for defense evasion.
    Category: Execute
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 10 1809, Windows Server 2019
  - Command: ssh -o ProxyCommand=calc.exe .
    Description: Executes calc.exe from ssh.exe
    Usecase: Performs execution of specified file, can be used as a defensive evasion.
    Category: Execute
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 10
Full_Path:
  - Path: c:\windows\system32\OpenSSH\ssh.exe
Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml
  - IOC: Event ID 4624 with process name C:\Windows\System32\OpenSSH\sshd.exe.
  - IOC: command line arguments specifying execution.
Resources:
  - Link: https://gtfobins.github.io/gtfobins/ssh/
Acknowledgement:
  - Person: Akshat Pradhan
  - Person: Felix Boulet
Create Ssh 2021-11-08 17:51:37 +01:00			`Name: ssh.exe`
Removed trailing space on line 3 2022-09-18 03:24:04 +02:00			`Description: Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices.`
Create Ssh 2021-11-08 17:51:37 +01:00			`Author: 'Akshat Pradhan'`
			`Created: '2021-11-08'`
			`Commands:`
			`- Command: ssh localhost calc.exe`
			`Description: Execute calc.exe on host machine. The prompt for password can be eliminated by adding the host's public key in the user's authorized_keys file. Adversaries can do the same for execution on remote machines.`
			`Usecase: Execute specified command, can be used for defense evasion.`
			`Category: Execute`
			`Privileges: User`
			`MitreID: T1202`
			`OperatingSystem: Windows 10 1809, Windows Server 2019`
Create Ssh.yml (#211) * Create Ssh.yml * newline ymlint Co-authored-by: bohops <bohops> 2022-12-30 01:45:09 +01:00			`- Command: ssh -o ProxyCommand=calc.exe .`
			`Description: Executes calc.exe from ssh.exe`
			`Usecase: Performs execution of specified file, can be used as a defensive evasion.`
			`Category: Execute`
Added AWL Bypass to Ssh.yml 2021-11-09 03:44:43 +01:00			`Privileges: User`
Create Ssh.yml (#211) * Create Ssh.yml * newline ymlint Co-authored-by: bohops <bohops> 2022-12-30 01:45:09 +01:00			`MitreID: T1202`
			`OperatingSystem: Windows 10`
Create Ssh 2021-11-08 17:51:37 +01:00			`Full_Path:`
			`- Path: c:\windows\system32\OpenSSH\ssh.exe`
			`Detection:`
$frack113$ Add sigma ref Detection (#272) * Add sigma ref * Add missing sigma ref * Fix sigma link * Remove by Defender * Remove by Defender 2022-12-29 15:51:15 +01:00			`- Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml`
Create Ssh 2021-11-08 17:51:37 +01:00			`- IOC: Event ID 4624 with process name C:\Windows\System32\OpenSSH\sshd.exe.`
			`- IOC: command line arguments specifying execution.`
Create Ssh.yml (#211) * Create Ssh.yml * newline ymlint Co-authored-by: bohops <bohops> 2022-12-30 01:45:09 +01:00			`Resources:`
			`- Link: https://gtfobins.github.io/gtfobins/ssh/`
Create Ssh 2021-11-08 17:51:37 +01:00			`Acknowledgement:`
			`- Person: Akshat Pradhan`
Create Ssh.yml (#211) * Create Ssh.yml * newline ymlint Co-authored-by: bohops <bohops> 2022-12-30 01:45:09 +01:00			`- Person: Felix Boulet`