SSH Tunnelling to Punch Through Corporate Firewalls - Updated take on one of the oldest LOLBINs | JUMPSEC LABS
Tags
maec-delivery-vectors: Watering Hole
attack-pattern: Data Dns - T1071.004 Dns - T1590.002 Domain Fronting - T1090.004 Domains - T1583.001 Domains - T1584.001 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Ssh - T1021.004 Tool - T1588.002 Connection Proxy - T1090 Domain Fronting - T1172 Powershell - T1086 Sudo - T1169
Show in Graph
Common Information
Type Value
UUID b274a8de-9a52-4b29-beec-2c86690e6f56
Fingerprint 26538b516b24b6c7
Analysis status DONE
Considered CTI value 0
Text language
Published Aug. 13, 2024, 6:40 p.m.
Added to db Aug. 31, 2024, 6:25 a.m.
Last updated Nov. 17, 2024, 6:54 p.m.
Headline SSH Tunnelling to Punch Through Corporate Firewalls – Updated take on one of the oldest LOLBINs
Title SSH Tunnelling to Punch Through Corporate Firewalls - Updated take on one of the oldest LOLBINs | JUMPSEC LABS
Detected Hints/Tags/Attributes 59/2/15
Source URLs
Redirection Url
Details Source https://labs.jumpsec.com/ssh-tunnelling-to-punch-through-corporate-firewalls-updated-take-on-one-of-the-oldest-lolbins/
URL Provider
Details Provider Source level domain
Details jumpsec.com labs.jumpsec.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 149 JUMPSEC LABS https://labs.jumpsec.com/feed/ 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 88 
secretsdump.py
Details Domain 14 
scanme.nmap.org
Details Domain 1 
msservicesupdate.uksouth.cloudapp.azure.com
Details Domain 1 
region.cloudapp.azure.com
Details Domain 339 
system.net
Details File 1 
c:\windows\system32\openssh\ssh.exe
Details File 85 
secretsdump.py
Details File 28 
ssh.exe
Details File 4 
scp.exe
Details File 1 
totally_okay_payload.dll
Details File 1 
c:\public\appdata\version.dll
Details File 27 
invoke-mimikatz.ps1
Details File 1 
amsibypass.ps1
Details IPv4 1441 
127.0.0.1
Details Url 1 
http://192.x.x.x/invoke-mimikatz.ps1