From eedc483be43bba401b88899b24c42bacbafb1244 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Tue, 19 Jan 2021 14:12:40 +0100
Subject: [PATCH] rework: impossible rule with Sysmon

---
 .../sysmon_susp_plink_non_standard_port.yml   | 27 -------------------
 .../sysmon_susp_plink_remote_forward.yml      |  3 +--
 2 files changed, 1 insertion(+), 29 deletions(-)
 delete mode 100644 rules/windows/network_connection/sysmon_susp_plink_non_standard_port.yml
 rename rules/windows/{network_connection => process_creation}/sysmon_susp_plink_remote_forward.yml (93%)

diff --git a/rules/windows/network_connection/sysmon_susp_plink_non_standard_port.yml b/rules/windows/network_connection/sysmon_susp_plink_non_standard_port.yml
deleted file mode 100644
index 677545b2..00000000
--- a/rules/windows/network_connection/sysmon_susp_plink_non_standard_port.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: Suspicious Plink Non-Standard Port
-id: 576131ea-77e3-4f8e-ab39-f0bcbcc7c68c
-status: experimental
-description: Detects suspicious Plink use to a port that is not Port 22/tcp (default for SSH)
-references:
-    - https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
-    - https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
-author: Florian Roth
-date: 2021/01/19
-tags:
-    - attack.command_and_control
-    - attack.t1572
-    - attack.lateral_movement
-    - attack.t1021.001
-logsource:
-    category: network_connection
-    product: windows
-detection:
-    selection:
-        Description: 'Command-line SSH, Telnet, and Rlogin client'
-        Initiated: 'true'
-    filter:
-        DestinationPort: 22
-    condition: selection and not filter
-falsepositives:
-    - Environments in which SSH servers don't run on port 22/tcp
-level: high
diff --git a/rules/windows/network_connection/sysmon_susp_plink_remote_forward.yml b/rules/windows/process_creation/sysmon_susp_plink_remote_forward.yml
similarity index 93%
rename from rules/windows/network_connection/sysmon_susp_plink_remote_forward.yml
rename to rules/windows/process_creation/sysmon_susp_plink_remote_forward.yml
index 632d3037..da9ca8e0 100644
--- a/rules/windows/network_connection/sysmon_susp_plink_remote_forward.yml
+++ b/rules/windows/process_creation/sysmon_susp_plink_remote_forward.yml
@@ -13,12 +13,11 @@ tags:
     - attack.lateral_movement
     - attack.t1021.001
 logsource:
-    category: network_connection
+    category: process_creation
     product: windows
 detection:
     selection:
         Description: 'Command-line SSH, Telnet, and Rlogin client'
-        Initiated: 'true'
         CommandLine|contains: ' -R '
     condition: selection
 falsepositives: