{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/openssh-client/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenSSH Client"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","proxy-execution","openssh","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are abusing the legitimate Windows OpenSSH client (ssh.exe and sftp.exe) to proxy command execution, a technique known as \u0026quot;Indirect Command Execution\u0026quot; (T1202). This method allows adversaries to bypass application control solutions by leveraging trusted binaries already present on the system. By embedding malicious commands within the OpenSSH command line arguments, attackers can execute arbitrary code, escalate privileges, and establish persistence while blending in with legitimate system activity. This technique is particularly effective because OpenSSH is often trusted and permitted to run without restriction. The observed commands of interest include powershell, schtasks, @echo off, http, mshta, msiexec, cmd /c, cmd.exe, and scp which commonly are used in malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system via an exploit, phishing, or stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the built-in OpenSSH client (ssh.exe or sftp.exe).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a command line argument for ssh.exe or sftp.exe that includes a malicious command to be executed indirectly.\u003c/li\u003e\n\u003cli\u003eThe malicious command is embedded within the command line, utilizing keywords such as \u003ccode\u003eCommand=powershell\u003c/code\u003e, \u003ccode\u003eschtasks\u003c/code\u003e, \u003ccode\u003eCommand=@echo off\u003c/code\u003e, \u003ccode\u003eCommand=http\u003c/code\u003e, \u003ccode\u003eCommand=mshta\u003c/code\u003e, \u003ccode\u003eCommand=msiexec\u003c/code\u003e, \u003ccode\u003eCommand=cmd /c\u003c/code\u003e, \u003ccode\u003eCommand=cmd.exe\u003c/code\u003e, \u003ccode\u003eLocalCommand=scp*\u0026amp;\u0026amp;*\u003c/code\u003e, \u003ccode\u003eLocalCommand=?scp*\u0026amp;\u0026amp;*\u003c/code\u003e, or \u003ccode\u003eCommand=*script*\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe OpenSSH client executes the malicious command, bypassing application control restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the executed command to download and execute malware, establish persistence, or gather sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems on the network, repeating steps 2-6.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to arbitrary code execution, privilege escalation, and persistence within the targeted environment. Bypassing application control measures allows attackers to introduce malware and compromise critical systems. This can result in data breaches, financial losses, and reputational damage. The broad use of OpenSSH makes many Windows systems vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Proxy Execution via Windows OpenSSH\u0026quot; to detect suspicious command line arguments passed to ssh.exe and sftp.exe (reference: rules section).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for ssh.exe and sftp.exe with command lines containing keywords such as powershell, schtasks, @echo off, http, mshta, msiexec, cmd /c, cmd.exe, and scp (reference: rules section).\u003c/li\u003e\n\u003cli\u003eReview and harden application control policies to prevent execution of unauthorized or unexpected commands through OpenSSH (reference: Overview section).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the necessary command-line details for effective detection (reference: rules section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-openssh-proxy-execution/","summary":"Attackers are leveraging the Windows OpenSSH client (ssh.exe, sftp.exe) to proxy command execution and bypass application controls by executing commands such as powershell, schtasks, or cmd, indicating a defense evasion attempt.","title":"Windows OpenSSH Client Used for Indirect Command Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-openssh-proxy-execution/"}],"language":"en","title":"CraftedSignal Threat Feed - OpenSSH Client","version":"https://jsonfeed.org/version/1.1"}