Conversation
|
⛔️ Test failed Results
|
Contributor
Rule: New - GuidelinesThese guidelines serve as a reminder set of considerations when proposing a new rule. Documentation and Context
Rule Metadata Checks
New BBR Rules
Testing and Validation
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new Windows EQL detection rule to identify reverse SSH port forwarding / reverse dynamic forwarding activity via Windows OpenSSH (ssh.exe) or PuTTY Plink (plink.exe), including an investigation guide and investigation transforms to support triage and scoping.
Changes:
- Introduces a new Windows rule targeting reverse port-forwarding indicators (
-R/RemoteForward) for OpenSSH and Plink. - Adds an investigation guide plus investigate transforms for process context, recurrence on host, and hash-based scoping.
- Maps the detection to relevant MITRE ATT&CK tactics/techniques (Proxy/External Proxy, Protocol Tunneling, Remote Services/SSH).
| process.args : "-oRemoteForward*" or | ||
| (process.args : "-o" and process.args : "*RemoteForward*") or | ||
|
|
||
| /* -R can be combined with ~20 no-arg SSH flags (e.g. -NR, -fNR) */ |
Contributor
There was a problem hiding this comment.
I think the current logic for the regex and process.args filters could miss the compact form:
ssh.exe -fNR2222:127.0.0.1:3389 user@host
Contributor
Author
eric-forte-elastic
approved these changes
Jun 25, 2026
eric-forte-elastic
left a comment
Contributor
There was a problem hiding this comment.
Small comment and I think Copilot suggestion might be valid.
Otherwise LGTM 👍
terrancedejesus
approved these changes
Jun 25, 2026
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

Issues
Part of https://github.com/elastic/ia-trade-team/issues/888
Summary
Identifies the use of Windows OpenSSH or Plink to create a reverse SSH port forward or reverse dynamic SOCKS proxy. Adversaries may abuse reverse forwarding to expose an internal service or proxy listener through an external SSH server, establishing an outbound tunnel that bypasses direct inbound connectivity controls.
References: