<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>OpenSSH Client - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/openssh-client/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 18:23:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/openssh-client/feed.xml" rel="self" type="application/rss+xml"/><item><title>Windows OpenSSH Client Used for Indirect Command Execution</title><link>https://feed.craftedsignal.io/briefs/2024-01-openssh-proxy-execution/</link><pubDate>Wed, 03 Jan 2024 18:23:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-openssh-proxy-execution/</guid><description>Attackers are leveraging the Windows OpenSSH client (ssh.exe, sftp.exe) to proxy command execution and bypass application controls by executing commands such as powershell, schtasks, or cmd, indicating a defense evasion attempt.</description><content:encoded><![CDATA[<p>Attackers are abusing the legitimate Windows OpenSSH client (ssh.exe and sftp.exe) to proxy command execution, a technique known as &quot;Indirect Command Execution&quot; (T1202). This method allows adversaries to bypass application control solutions by leveraging trusted binaries already present on the system. By embedding malicious commands within the OpenSSH command line arguments, attackers can execute arbitrary code, escalate privileges, and establish persistence while blending in with legitimate system activity. This technique is particularly effective because OpenSSH is often trusted and permitted to run without restriction. The observed commands of interest include powershell, schtasks, @echo off, http, mshta, msiexec, cmd /c, cmd.exe, and scp which commonly are used in malicious activities.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a Windows system via an exploit, phishing, or stolen credentials.</li>
<li>The attacker leverages the built-in OpenSSH client (ssh.exe or sftp.exe).</li>
<li>The attacker crafts a command line argument for ssh.exe or sftp.exe that includes a malicious command to be executed indirectly.</li>
<li>The malicious command is embedded within the command line, utilizing keywords such as <code>Command=powershell</code>, <code>schtasks</code>, <code>Command=@echo off</code>, <code>Command=http</code>, <code>Command=mshta</code>, <code>Command=msiexec</code>, <code>Command=cmd /c</code>, <code>Command=cmd.exe</code>, <code>LocalCommand=scp*&amp;&amp;*</code>, <code>LocalCommand=?scp*&amp;&amp;*</code>, or <code>Command=*script*</code>.</li>
<li>The OpenSSH client executes the malicious command, bypassing application control restrictions.</li>
<li>The attacker uses the executed command to download and execute malware, establish persistence, or gather sensitive information.</li>
<li>The attacker moves laterally to other systems on the network, repeating steps 2-6.</li>
<li>The attacker achieves their final objective, such as data exfiltration or ransomware deployment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation leads to arbitrary code execution, privilege escalation, and persistence within the targeted environment. Bypassing application control measures allows attackers to introduce malware and compromise critical systems. This can result in data breaches, financial losses, and reputational damage. The broad use of OpenSSH makes many Windows systems vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Proxy Execution via Windows OpenSSH&quot; to detect suspicious command line arguments passed to ssh.exe and sftp.exe (reference: rules section).</li>
<li>Monitor process creation events for ssh.exe and sftp.exe with command lines containing keywords such as powershell, schtasks, @echo off, http, mshta, msiexec, cmd /c, cmd.exe, and scp (reference: rules section).</li>
<li>Review and harden application control policies to prevent execution of unauthorized or unexpected commands through OpenSSH (reference: Overview section).</li>
<li>Enable Sysmon process creation logging to capture the necessary command-line details for effective detection (reference: rules section).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>defense-evasion</category><category>proxy-execution</category><category>openssh</category><category>windows</category></item></channel></rss>