Classification:

attack

Tactic:

TA0008-lateral-movement

Technique:

T1021-remote-services

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects when Windows OpenSSH server starts listening on network sockets, potentially indicating unauthorized remote access establishment.

Strategy

This rule monitors Windows OpenSSH server events where @evt.id is 4 from the sshd process when @Event.EventData.Data.payload contains Server listening on messages. While OpenSSH can be legitimately installed on Windows systems for remote administration, unexpected SSH server activation may indicate attacker-installed persistence mechanisms or unauthorized remote access capabilities. Attackers often deploy SSH servers to maintain persistent access to compromised systems and facilitate lateral movement within the network.

Triage and response

• Verify if the OpenSSH server installation and activation on {{host}} was authorized and follows organizational IT policies for remote access tools.
• Check the network interface and port configuration to determine if the SSH server is accessible from external networks or only internal systems.
• Review system installation logs and recent administrative activities to identify who installed or configured the OpenSSH server.
• Examine SSH server configuration files for any unusual settings, authorized keys, or access controls that may indicate malicious configuration.
• Monitor for subsequent SSH connection attempts to determine if the server is being used for legitimate administration or unauthorized access.