This note documents detection patterns related to Linux Tunneling and Port Forwarding on Linux systems.

Direct Indicators

Source	Grep Pattern / Artifact	Meaning	Forensic Value	Notes
Shell history	`ssh -L`	Local port forward	Critical	Common attacker pivot method.
Shell history	`ssh -R`	Remote port forward	Critical	Reverse pivot / callback tunnel.
Shell history	`ssh -D`	SOCKS proxy tunnel	Critical	Flexible pivoting channel.
Shell history	`ProxyCommand`	SSH-based chained tunnel	Critical	Advanced pivot signal.
Shell history	`socat TCP-LISTEN`	Custom forward listener	Critical	Strong operator indicator.
Shell history	`socat TCP:`	Direct relay	Critical	Manual tunnel construction.
Shell history	`nc -lvp`	Listener for forwarding	High	Simple tunnel staging.
Shell history	`chisel`	Dedicated tunneling utility	Critical	Very strong intrusion signal.
Shell history	`sshuttle`	Transparent tunnel	Critical	Advanced internal pivoting.
Shell history	`iptables -t nat`	Traffic redirection	Critical	Port redirection or covert relay.
`ss -plant`	listening unexpected local port	Active tunnel endpoint	Critical	Runtime truth.
`lsof -i`	tunnel-owning process	Attribution	Critical	PID linkage.
`auditd`	tunneling command execution	Process attribution	Critical	Best attribution if enabled.
Network logs	long-lived unusual SSH session	Tunnel persistence	Critical	Strong network clue.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
Tunnel immediately after foothold	Pivot preparation	Critical	Common attacker progression.
SOCKS tunnel before internal recon	Internal expansion	Critical	Strong hostile chain.
Chisel in temp path	Dedicated operator tooling	Critical	Very strong signal.
SSH tunnel under service account	Suspicious context	Critical	Often exploitation shell.
Listener on high port unexpectedly	Forward endpoint	Critical	Runtime clue.
Long-lived SSH with no shell activity	Tunnel likely	Critical	Strong operational clue.
Tunnel plus internal SSH movement	Active pivot	Critical	Multi-host compromise signal.
NAT redirection after root shell	Advanced pivot	Critical	Mature operator behavior.
Hidden binary owns listener	Concealed tunnel	Critical	Strong malicious signal.
Tunnel plus cleanup	Mature intrusion discipline	High	Operator maturity clue.

Common Tools

Tool	Usage
`ssh -L`	Local forward.
`ssh -R`	Reverse forward.
`ssh -D`	SOCKS proxy.
`socat`	Flexible TCP relay.
`nc`	Simple listener/relay.
`chisel`	Dedicated HTTP tunnel.
`sshuttle`	Transparent subnet tunnel.

Relevant Artifacts

Artifact	Path / Command	Forensic Value	Notes
Shell history	`.bash_history`, `.zsh_history`	Critical	Tunnel command evidence.
Live sockets	`ss -plant`, `netstat -plant`	Critical	Active endpoints.
Process attribution	`lsof -i`	Critical	PID linkage.
SSH config	`~/.ssh/config`	High	Tunnel definitions.
Audit logs	`/var/log/audit/audit.log`	Critical	Process attribution.
Firewall rules	`iptables`, nftables	Critical	Redirection clue.
Temp binaries	`/tmp`, `/var/tmp`, `/dev/shm`	High	chisel / helpers often staged here.

MITRE ATT&CK References

T1572 Protocol Tunneling
T1090 Proxy
T1021 Remote Services

Decision Tree

Was tunneling command used?
- Search shell history and audit logs.
Which tunnel type?
- Local, remote, SOCKS, relay.
Is listener active?
- Enumerate sockets and owners.
Did tunnel enable movement?
- Internal recon, SSH, file transfer.
Is context suspicious?
- Service account, temp tooling, hidden binary.
Pivot
- Port → remote endpoint.
- Process → binary path.
- Timeline → movement chain.
Confirm tunneling abuse
- Tunnel command + active socket + suspicious context = strong pivot finding.

Example Detection Templates

Grep

grep -R "ssh -L\|ssh -R\|ssh -D\|ProxyCommand\|socat TCP-LISTEN\|socat TCP:\|nc -lvp\|chisel\|sshuttle\|iptables -t nat" /home/*/.bash_history /root/.bash_history 2>/dev/null

Journalctl

journalctl | grep -E "ssh|socat|iptables"

File Inspection

ss -plant

lsof -i

Sigma

title: Linux Tunneling and Port Forwarding
id: linux-tunneling-port-forwarding
status: experimental
description: Detects suspicious tunneling and port forwarding activity on Linux
logsource:
  product: linux
detection:
  selection_keywords:
    message|contains:
      - 'ssh -L'
      - 'ssh -R'
      - 'ssh -D'
      - 'chisel'
      - 'socat'
  condition: selection_keywords
fields:
  - message
  - hostname
falsepositives:
  - Legitimate administration tunnels
level: high
tags:
  - attack.command_and_control
  - attack.t1572

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
SSH policy	Restrict forwarding features	Critical	Removes common pivot path.
Egress filtering	Limit arbitrary outbound tunnels	Critical	Major reduction in tunnel success.
Auditd	Track tunneling commands	High	Strong attribution.
Socket monitoring	Alert on unusual listeners	High	Runtime visibility.
Temp monitoring	Detect chisel / tunnel binaries	High	Strong intrusion clue.

Fast Triage Checks

Question	Command / Artifact	Why It Matters
Was forwarding used?	grep history	Immediate pivot clue.
Is listener active?	ss / lsof	Runtime truth.
Which process owns tunnel?	PID attribution	Core linkage.
Did tunnel enable movement?	correlate SSH/recon	Attack progression.
Is tool hidden/temp?	inspect binary path	Stealth clue.

High Value Grep Strings

Pattern	Why It Matters
`ssh -L`	Local forward.
`ssh -R`	Reverse forward.
`ssh -D`	SOCKS tunnel.
`socat`	Manual relay.
`chisel`	Dedicated tunnel utility.
`sshuttle`	Transparent subnet tunnel.
`iptables -t nat`	Traffic redirection.

Analyst Notes

Scenario	Interpretation
`ssh -D` then internal scans	Strong pivot chain.
Chisel in temp path	Very strong operator evidence.
Hidden process listening high port	Concealed tunnel likely.
Long SSH session no shell activity	Tunnel probable.
Tunnel plus SSH movement	Active multi-host compromise.
NAT redirection after root	Mature operator behavior.