Query Details
Sshtunneltoexternalhost
Query
# Rule Documentation: SSH Reverse Tunnel Established to External Host ## Description Detects SSH reverse tunneling or remote port forwarding to external hosts, which attackers use to create persistent command-and-control channels or pivot through an internal host to external infrastructure. - **Source:** The DFIR Report — From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira (Aug 05, 2025) ## Detection Logic - Monitor outbound `ssh` process creation with remote forwarding flags (`-R`, `-L`) or unusual port numbers. - Alert on internal hosts initiating SSH connections to external IPs with remote port binds (e.g., `ssh -R *:10400`). - Correlate with newly installed remote access tools or suspicious user accounts. ## Tags - Command and Control - Lateral Movement - MITRE ATT&CK: T1572 (Protocol Tunneling), T1040 (Network Sniffing) ## Search Query ```kql DeviceProcessEvents | where FileName =~ "ssh.exe" or ProcessCommandLine contains "ssh " | where ProcessCommandLine contains "-R" or ProcessCommandLine contains "-L" or ProcessCommandLine contains "RemoteForward" | project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, ReportId ``` ## Note This rule is very noisy and will generate a lot of alerts it needs to be adjusted to remove any legitimate behavior
Explanation
This query is designed to detect potentially malicious SSH reverse tunneling activities, which can be used by attackers to maintain control over a compromised system or to move laterally within a network. Here's a simple breakdown of the query and its purpose:
-
Objective: The query aims to identify SSH processes that might be used for reverse tunneling or remote port forwarding to external hosts. This is a technique often used by attackers to establish persistent command-and-control channels or to pivot from an internal network to external infrastructure.
-
Detection Criteria:
- It looks for the creation of SSH processes (
ssh.exe) on devices. - Specifically, it searches for SSH commands that include flags for remote forwarding (
-R) or local forwarding (-L), or the term "RemoteForward" in the command line. These flags are indicative of port forwarding activities. - The query captures details such as the timestamp of the event, the device name, the account initiating the process, the full command line used, and a report ID for further investigation.
- It looks for the creation of SSH processes (
-
Context:
- The rule is based on a report detailing how attackers use such techniques in real-world scenarios, specifically referencing a case involving ransomware delivery.
- It is tagged under categories like Command and Control and Lateral Movement, aligning with MITRE ATT&CK techniques for protocol tunneling and network sniffing.
-
Considerations:
- The rule is noted to be "noisy," meaning it may generate many alerts, including false positives. Therefore, it might require tuning to filter out legitimate SSH activities that match the criteria but are not malicious.
In summary, this query helps security teams identify suspicious SSH activities that could indicate an attacker's attempt to establish unauthorized network connections or control channels. However, due to its broad detection criteria, it may need refinement to reduce false alarms.
Details
Ali Hussein
Released: November 10, 2025
Tables
Keywords
Operators