Skip to content

[New Rule] Potential SSH Reverse Port Forwarding#6330

Merged
w0rk3r merged 4 commits into
mainfrom
dr_0
Jun 30, 2026
Merged

[New Rule] Potential SSH Reverse Port Forwarding#6330
w0rk3r merged 4 commits into
mainfrom
dr_0

Conversation

@w0rk3r

@w0rk3r w0rk3r commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Issues

Part of https://github.com/elastic/ia-trade-team/issues/888

Summary

Identifies the use of Windows OpenSSH or Plink to create a reverse SSH port forward or reverse dynamic SOCKS proxy. Adversaries may abuse reverse forwarding to expose an internal service or proxy listener through an external SSH server, establishing an outbound tunnel that bypasses direct inbound connectivity controls.

References:

image

@tradebot-elastic

tradebot-elastic commented Jun 24, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Potential SSH Reverse Port Forwarding (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@github-actions

Copy link
Copy Markdown
Contributor

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

  • Detailed description of the rule.
  • List any new fields required in ECS/data sources.
  • Link related issues or PRs.
  • Include references.

Rule Metadata Checks

  • creation_date matches the date of creation PR initially merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
  • min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
  • index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
  • integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
  • setup should include the necessary steps to configure the integration.
  • note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
  • tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
  • threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

  • building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
  • bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

  • Provide evidence of testing and detecting the expected threat.
  • Check for existence of coverage to prevent duplication.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new Windows EQL detection rule to identify reverse SSH port forwarding / reverse dynamic forwarding activity via Windows OpenSSH (ssh.exe) or PuTTY Plink (plink.exe), including an investigation guide and investigation transforms to support triage and scoping.

Changes:

  • Introduces a new Windows rule targeting reverse port-forwarding indicators (-R / RemoteForward) for OpenSSH and Plink.
  • Adds an investigation guide plus investigate transforms for process context, recurrence on host, and hash-based scoping.
  • Maps the detection to relevant MITRE ATT&CK tactics/techniques (Proxy/External Proxy, Protocol Tunneling, Remote Services/SSH).

process.args : "-oRemoteForward*" or
(process.args : "-o" and process.args : "*RemoteForward*") or

/* -R can be combined with ~20 no-arg SSH flags (e.g. -NR, -fNR) */

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the current logic for the regex and process.args filters could miss the compact form:
ssh.exe -fNR2222:127.0.0.1:3389 user@host

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

++

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

image Updated the regex to account for this, thanks!

@eric-forte-elastic eric-forte-elastic left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small comment and I think Copilot suggestion might be valid.

Otherwise LGTM 👍

@tradebot-elastic

tradebot-elastic commented Jun 30, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Potential SSH Reverse Port Forwarding (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic

tradebot-elastic commented Jun 30, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Potential SSH Reverse Port Forwarding (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@w0rk3r w0rk3r merged commit f30f78f into main Jun 30, 2026
13 checks passed
@w0rk3r w0rk3r deleted the dr_0 branch June 30, 2026 23:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants