Process

unknown

ssh.exe

ssh.exe is the OpenSSH client built into modern Windows, used to open secure shell connections to other machines. Administrators use it to manage Linux and Windows hosts. Attackers use it for lateral movement, for tunneling traffic, and to run commands through a signed binary.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS2
  • ssh localhost "{CMD}"Execute · Execute specified command, can be used for defense evasion.
  • ssh -o ProxyCommand="{CMD}" .Execute · Performs execution of specified file, can be used as a defensive evasion.

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

ssh.exe is the Windows port of the OpenSSH client. It connects to SSH servers to start interactive shells, run single commands (ssh host command), copy files, and set up port forwarding and proxy tunnels. It ships with Windows 10 and later as an optional-but-default feature, with the genuine binary at C:\Windows\System32\OpenSSH\ssh.exe.

Legitimately, ssh is used by administrators and developers to reach remote systems. Where it connects, what it runs, and any tunneling it sets up are what give an instance meaning.

Security notes

ssh.exe supports lateral movement and remote execution (T1021.004). With keys or stolen credentials, an operator opens shells on other machines or runs one-off commands, blending with normal administration. Its forwarding options (-L, -R, -D) build tunnels that pivot traffic through compromised hosts and bypass network controls, which is often the more important signal than the login itself.

ssh can also run a local program as a side effect: the ProxyCommand and local-command options execute a command on the source machine, a form of indirect command execution through a signed binary (T1202). Because ssh is legitimate, the destinations, the forwarding flags, and any local-command options are what separate administration from pivoting and abuse.

Anomaly signals5
  • Image path other than C:\Windows\System32\OpenSSH\ssh.exehigh
  • Port-forwarding or dynamic-proxy flags (-L, -R, -D) setting up tunnelshigh
  • A ProxyCommand or local-command option that runs a local programhigh
  • Parent is an Office application, a script host, or an unfamiliar processhigh
  • Connections to external hosts from a server or service contextmed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof ssh.exe?
Edit this page on GitHub