Remote Port Forwarding via Plink - Unauthorized RDP Tunneling Detection
Detects the use of Plink (PuTTY Link) to establish remote port forwarding tunnels, specifically targeting traffic redirected to port 3389 (RDP). This technique is frequently used by threat actors for lateral movement or to bypass firewall restrictions by tunneling RDP over SSH.
EDRhuntingT1572T1021.004
FDR intermediatepor cap10 (cql-hub.com) 1 min read
Query
#event_simpleName=ProcessRollup2
| ImageFileName=/\\plink(64)?\.exe$/i
| CommandLine=/\s-(R|L).*:3389/i
| table([aid, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName])
| sort(@timestamp, order=desc)Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.