heroui logo

Potential SSH Reverse Port Forwarding

Elastic Detection Rules

View Source
Summary
Detects Windows OpenSSH (ssh.exe) or Plink (plink.exe) usage to establish reverse SSH port forwards or reverse dynamic SOCKS proxies. The rule flags Windows processes starting ssh/plink with reverse-forward arguments, such as -R, -oRemoteForward, or related combinations, which adversaries can abuse to tunnel internal services through an external SSH server and bypass inbound connectivity controls. Implemented as an EQL rule, it correlates Windows process start events with specific command-line patterns across multiple telemetry sources (Elastic Defend, CrowdStrike, SentinelOne Cloud Funnel, Microsoft Defender XDR, Sysmon, Windows Security Event Logs, Endgame/Elastic) to provide cross-sensor coverage. The detection aligns with MITRE ATT&CK techniques: T1090 External Proxy (subtechnique T1090.002 External Proxy), T1572 Protocol Tunneling, and T1021.004 SSH under the Lateral Movement/Remote Services and Command and Control constructs. The rule’s investigation guidance includes triage steps to verify the exact triggering command, confirm process lineage (including parent process and executable details), assess activity recurrences, and identify the remote SSH server and exposed service when network telemetry is available. It also covers cross-host recurrence for the same binary/hash and flags suspicious patterns for containment or escalation. This rule is designed for Windows endpoint telemetry and supports integration with Elastic Defend, CrowdStrike, Defender XDR, SentinelOne, Sysmon, and Windows Event Logs, with references to setup and additional data sources in the investigation. False positives are minimized by requiring explicit reverse-forward artifacts in the command line and corroborating owner/workflow context before containment or remediation. Remediation guidance includes isolating the host, rotating credentials, terminating the tunnel process, and removing any related persistence or artifacts after containment, while preserving evidence for post-incident analysis.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
  • Application Log
ATT&CK Techniques
  • T1090
  • T1090.002
  • T1572
  • T1021
  • T1021.004
Created: 2026-06-24