Attack Chain

1. An attacker gains initial access to a Windows system.
2. The attacker executes the Windows OpenSSH client (ssh.exe or sftp.exe) with either the ProxyCommand or LocalCommand option.
3. The ProxyCommand or LocalCommand parameter specifies a command to be executed locally on the system.
4. The command includes potentially malicious payloads such as PowerShell commands, scheduled tasks manipulation (schtasks), or execution of other LOLBINs (Living Off the Land Binaries) like mshta or msiexec.
5. The OpenSSH client executes the specified command.
6. The malicious command performs actions such as downloading and executing additional payloads, creating scheduled tasks for persistence, or executing arbitrary code.
7. The attacker achieves their objectives, such as gaining further access to the system, escalating privileges, or deploying malware.

Impact

Successful exploitation can lead to a complete compromise of the affected system. Attackers can bypass application control mechanisms, execute arbitrary code, and establish persistence. This can result in data theft, system disruption, or further propagation of the attack within the network. The severity of the impact depends on the privileges of the account running the OpenSSH client and the specific actions performed by the malicious commands.

Recommendation

• Enable process creation logging with command line details to capture the execution of ssh.exe and sftp.exe with malicious parameters.
• Deploy the Sigma rule Proxy Execution via Windows OpenSSH to your SIEM to detect suspicious OpenSSH client executions with malicious commands in the command line.
• Monitor for the creation of child processes from ssh.exe or sftp.exe, as this can indicate the execution of malicious commands specified in the ProxyCommand or LocalCommand options.
• Review and restrict the usage of PermitLocalCommand in OpenSSH server configurations to prevent attackers from executing commands locally on the system after a connection is established.