2023-06-23 15:55:39 -04:00
---
2021-11-08 22:21:37 +05:30
Name : ssh.exe
2022-09-17 21:24:04 -04:00
Description : Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices.
2021-11-08 22:21:37 +05:30
Author : 'Akshat Pradhan'
Created : '2021-11-08'
Commands :
- Command : ssh localhost calc.exe
Description : Execute calc.exe on host machine. The prompt for password can be eliminated by adding the host's public key in the user's authorized_keys file. Adversaries can do the same for execution on remote machines.
Usecase : Execute specified command, can be used for defense evasion.
Category : Execute
Privileges : User
MitreID : T1202
OperatingSystem : Windows 10 1809, Windows Server 2019
2022-12-29 19:45:09 -05:00
- Command : ssh -o ProxyCommand=calc.exe .
Description : Executes calc.exe from ssh.exe
Usecase : Performs execution of specified file, can be used as a defensive evasion.
Category : Execute
2021-11-09 08:14:43 +05:30
Privileges : User
2022-12-29 19:45:09 -05:00
MitreID : T1202
OperatingSystem : Windows 10
2021-11-08 22:21:37 +05:30
Full_Path :
- Path : c:\windows\system32\OpenSSH\ssh.exe
Detection :
2023-10-18 17:30:34 +02:00
- Sigma : https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml
2021-11-08 22:21:37 +05:30
- IOC : Event ID 4624 with process name C:\Windows\System32\OpenSSH\sshd.exe.
- IOC : command line arguments specifying execution.
2022-12-29 19:45:09 -05:00
Resources :
- Link : https://gtfobins.github.io/gtfobins/ssh/
2021-11-08 22:21:37 +05:30
Acknowledgement :
- Person : Akshat Pradhan
2022-12-29 19:45:09 -05:00
- Person : Felix Boulet
