Skip to content
Threat Feed
high advisory

Potential Remote Desktop Tunneling Detected via SSH

Detection of SSH utilities establishing RDP tunnels, potentially enabling attackers to route network packets to otherwise unreachable destinations, facilitating command and control or lateral movement.

This detection identifies the potential use of SSH utilities like PuTTY or plink to establish Remote Desktop Protocol (RDP) over an SSH tunnel. This technique allows attackers to bypass network restrictions and route traffic to internal resources that would otherwise be inaccessible. The detection focuses on Windows systems where a process is executed with arguments indicating both an RDP port (3389) and either local (-L) or reverse (-R) port forwarding flags. This activity can indicate attempts at lateral movement or establishing command and control channels within a compromised network. Identifying these tunnels early can prevent further exploitation of internal resources.

Attack Chain

  1. An attacker gains initial access to a Windows system through phishing or exploiting a vulnerability.
  2. The attacker drops or utilizes an existing SSH client such as plink or PuTTY on the compromised host.
  3. The attacker executes the SSH client with command-line arguments to establish an SSH tunnel. The arguments include specifying local or remote port forwarding to port 3389 (RDP). Example: plink.exe -L 3389:127.0.0.1:3389 user@192.168.1.100.
  4. The SSH client establishes a connection to a remote SSH server, creating an encrypted tunnel.
  5. Traffic destined for the specified local port (e.g., 3389) is now forwarded through the SSH tunnel to the remote server, which relays the traffic to the intended RDP service.
  6. The attacker initiates an RDP connection to localhost (127.0.0.1) on the compromised host.
  7. The RDP traffic is encapsulated within the SSH tunnel, bypassing network restrictions.
  8. The attacker gains unauthorized access to the remote system via RDP, enabling lateral movement and further exploitation.

Impact

Successful establishment of an RDP tunnel can provide attackers with unauthorized access to internal systems, allowing them to move laterally within the network, access sensitive data, and potentially disrupt business operations. The number of affected systems depends on the attacker's objectives and the scope of the compromised environment. This can lead to data breaches, financial loss, and reputational damage.

Recommendation

  • Deploy the Sigma rule "Potential Remote Desktop Tunneling Detected" to your SIEM and tune for your environment, focusing on identifying processes using SSH clients with port forwarding to RDP (3389).
  • Enable Sysmon process-creation logging on Windows endpoints to provide the necessary data for the Sigma rule to function effectively.
  • Investigate any alerts generated by the Sigma rule, focusing on the command-line arguments used by the SSH client, the source and destination IP addresses, and the user account under which the process is running.
  • Monitor network connections for unusual SSH traffic patterns, particularly connections to external hosts on port 22, and correlate with process creation events involving SSH clients.
  • Implement network segmentation to restrict access to sensitive resources and prevent lateral movement.

Detection coverage 2

Potential Remote Desktop Tunneling Detected

high

Detects the execution of SSH clients with arguments indicating RDP tunneling.

sigma tactics: command_and_control, lateral_movement techniques: T1021.001, T1572 sources: process_creation, windows

Suspicious Plink Reverse Tunnel to External IP

medium

Detects Plink creating a reverse tunnel to an external IP address.

sigma tactics: command_and_control, lateral_movement techniques: T1021.001, T1572 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →