Create Ssh.yml (LOLBAS-Project#211)

febou92 · web-flow · commit ded90467a868 · 2022-12-29T19:45:09.000-05:00
* Create Ssh.yml

* newline ymlint

Co-authored-by: bohops &lt;bohops&gt;
diff --git a/yml/OSBinaries/Ssh.yml b/yml/OSBinaries/Ssh.yml
@@ -1,4 +1,3 @@
----
 Name: ssh.exe
 Description: Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices.
 Author: 'Akshat Pradhan'
@@ -11,18 +10,21 @@ Commands:
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10 1809, Windows Server 2019
-  - Command: ssh localhost calc.exe
-    Description: Executes calc.exe.
-    Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
-    Category: AWL Bypass
+  - Command: ssh -o ProxyCommand=calc.exe .
+    Description: Executes calc.exe from ssh.exe
+    Usecase: Performs execution of specified file, can be used as a defensive evasion.
+    Category: Execute
     Privileges: User
-    MitreID: T1218
-    OperatingSystem: Windows 10 1809, Windows Server 2019
+    MitreID: T1202
+    OperatingSystem: Windows 10
 Full_Path:
   - Path: c:\windows\system32\OpenSSH\ssh.exe
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml
   - IOC: Event ID 4624 with process name C:\Windows\System32\OpenSSH\sshd.exe.
   - IOC: command line arguments specifying execution.
+Resources:
+  - Link: https://gtfobins.github.io/gtfobins/ssh/
 Acknowledgement:
   - Person: Akshat Pradhan
+  - Person: Felix Boulet
