{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/application-control-bypass/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","proxy-execution","openssh","application-control-bypass"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies attempts to execute commands through a proxy using the Windows OpenSSH client (ssh.exe or sftp.exe). Attackers may abuse this behavior to evade application control policies by leveraging the trusted Windows OpenSSH binaries. The technique involves using the \u003ccode\u003eProxyCommand\u003c/code\u003e or \u003ccode\u003eLocalCommand\u003c/code\u003e options with the OpenSSH client to execute arbitrary commands on the target system. The rule focuses on detecting command lines containing potentially malicious commands such as PowerShell, schtasks, mshta, msiexec, cmd, or script execution, indicating a possible attempt to bypass security measures. The detection logic is applicable to Windows systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the Windows OpenSSH client (ssh.exe or sftp.exe) with either the \u003ccode\u003eProxyCommand\u003c/code\u003e or \u003ccode\u003eLocalCommand\u003c/code\u003e option.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eProxyCommand\u003c/code\u003e or \u003ccode\u003eLocalCommand\u003c/code\u003e parameter specifies a command to be executed locally on the system.\u003c/li\u003e\n\u003cli\u003eThe command includes potentially malicious payloads such as PowerShell commands, scheduled tasks manipulation (schtasks), or execution of other LOLBINs (Living Off the Land Binaries) like mshta or msiexec.\u003c/li\u003e\n\u003cli\u003eThe OpenSSH client executes the specified command.\u003c/li\u003e\n\u003cli\u003eThe malicious command performs actions such as downloading and executing additional payloads, creating scheduled tasks for persistence, or executing arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objectives, such as gaining further access to the system, escalating privileges, or deploying malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a complete compromise of the affected system. Attackers can bypass application control mechanisms, execute arbitrary code, and establish persistence. This can result in data theft, system disruption, or further propagation of the attack within the network. The severity of the impact depends on the privileges of the account running the OpenSSH client and the specific actions performed by the malicious commands.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line details to capture the execution of ssh.exe and sftp.exe with malicious parameters.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eProxy Execution via Windows OpenSSH\u003c/code\u003e to your SIEM to detect suspicious OpenSSH client executions with malicious commands in the command line.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of child processes from ssh.exe or sftp.exe, as this can indicate the execution of malicious commands specified in the \u003ccode\u003eProxyCommand\u003c/code\u003e or \u003ccode\u003eLocalCommand\u003c/code\u003e options.\u003c/li\u003e\n\u003cli\u003eReview and restrict the usage of \u003ccode\u003ePermitLocalCommand\u003c/code\u003e in OpenSSH server configurations to prevent attackers from executing commands locally on the system after a connection is established.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:22:00Z","date_published":"2024-01-03T14:22:00Z","id":"/briefs/2024-01-openssh-proxy-execution/","summary":"Detection of command execution via proxy using the Windows OpenSSH client (ssh.exe or sftp.exe) to bypass application control using trusted Windows binaries.","title":"Proxy Execution via Windows OpenSSH Client","url":"https://feed.craftedsignal.io/briefs/2024-01-openssh-proxy-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Application-Control-Bypass","version":"https://jsonfeed.org/version/1.1"}