Processes such as plink.exe, ssh.exe, or netsh.exe establishing outbound network connections where traffic patterns show encapsulated protocols (e.g., RDP over SSH). Defender observations include anomalous process-to-network relationships, large asymmetric data flows, and port usage mismatches.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| AllowedTools | Whitelist legitimate tunneling tools (e.g., used by admins). |
| DataAsymmetryThreshold | Ratio of sent vs received bytes that indicates tunneling activity. |
| TimeWindow | Correlate process creation with network connection within N seconds. |
sshd, socat, or custom binaries initiating port forwarding or encapsulating traffic (e.g., RDP, SMB) through SSH or HTTP. Defender sees abnormal connect/bind syscalls, encrypted traffic on ports typically used for non-encrypted services, and outlier traffic volume patterns.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | auditd:SYSCALL | socket/connect calls showing SSH processes forwarding arbitrary ports |
| Application Log Content (DC0038) | linux:syslog | sshd sessions with unusual port forwarding parameters |
| Process Creation (DC0032) | linux:osquery | socat, ssh, or nc processes opening unexpected ports |
| Field | Description |
|---|---|
| ForwardingFlags | Specific sshd config flags indicating port forwarding. |
| ProtocolBaseline | Define expected application protocols by port to catch tunneling mismatches. |
launchd or user-invoked processes (ssh, socat) encapsulating traffic via SSH tunnels, VPN-style tooling, or DNS-over-HTTPS clients. Defender sees outbound TLS traffic with embedded DNS or RDP payloads.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process execution of ssh with -L/-R forwarding flags |
| Network Traffic Content (DC0085) | macos:unifiedlog | encrypted outbound traffic carrying unexpected application data |
| Field | Description |
|---|---|
| ExpectedDoHResolvers | Known legitimate DoH resolvers used in environment. |
| PayloadEntropyThreshold | Flag excessive randomness in payloads on standard ports. |
VMware daemons or user processes encapsulating traffic (e.g., guest VMs tunneling via hostd). Defender sees network services inside ESXi creating flows inconsistent with management plane traffic, such as SSH forwarding or DNS-over-HTTPS from management interfaces.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | esxi:vpxd | ESXi processes relaying traffic via SSH or unexpected ports |
| Network Traffic Content (DC0085) | esxcli:network | listening sockets bound with non-standard encapsulated protocols |
| Field | Description |
|---|---|
| ESXiServiceProfiles | Baseline allowed services and expected ports for ESXi management. |