From a098dfd5c6ff575198019566bbfbf925d3f74b18 Mon Sep 17 00:00:00 2001 From: Aashiq Ahmed <153970357+cyber20233@users.noreply.github.com> Date: Tue, 10 Mar 2026 11:58:31 +1100 Subject: [PATCH 1/9] Create SSHCommandHunt.mkape This module searches command history and text artifacts for evidence of SSH tunneling and network pivoting commands. Tools detected include: - OpenSSH (ssh -L, -R, -D) - PuTTY Plink - Chisel - Netsh portproxy - Ngrok - Cloudflared - Ligolo - FRP - Socat The module parses command history files such as: ConsoleHost_history.txt .bash_history .zsh_history This helps investigators identify tunneling and pivoting activity during incident response. --- Modules/SSHCommandHunt.mkape | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 Modules/SSHCommandHunt.mkape diff --git a/Modules/SSHCommandHunt.mkape b/Modules/SSHCommandHunt.mkape new file mode 100644 index 000000000..fc3fc29ec --- /dev/null +++ b/Modules/SSHCommandHunt.mkape @@ -0,0 +1,13 @@ +Description: Search command history and text artifacts for SSH tunneling and pivoting commands +Category: Apps +Author: Aashiq Ahmed +Version: 1.0 +Id: 3a5b2f54-2b1d-4c7a-9a9e-6c7d52b7a8a1 +BinaryUrl: https://github.com/EricZimmerman/KapeFiles +ExportFormat: csv + +Processors: + - + Executable: powershell.exe + CommandLine: -ExecutionPolicy Bypass -NoProfile -File .\Modules\bin\SSHCommandHunt.ps1 -Source %sourceDirectory% -Out %destinationDirectory%\SSHCommandHits.csv + ExportFormat: csv From b0cb230034130c3cbfc0ee3223c1d43c30f13e58 Mon Sep 17 00:00:00 2001 From: Aashiq Ahmed <153970357+cyber20233@users.noreply.github.com> Date: Tue, 10 Mar 2026 12:05:37 +1100 Subject: [PATCH 2/9] Move SSHCommandHunt module to Modules/Apps --- Modules/{ => Apps}/SSHCommandHunt.mkape | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Modules/{ => Apps}/SSHCommandHunt.mkape (100%) diff --git a/Modules/SSHCommandHunt.mkape b/Modules/Apps/SSHCommandHunt.mkape similarity index 100% rename from Modules/SSHCommandHunt.mkape rename to Modules/Apps/SSHCommandHunt.mkape From fc6ccc2c46f842ceeb22cc873212e1745631bfef Mon Sep 17 00:00:00 2001 From: Aashiq Ahmed <153970357+cyber20233@users.noreply.github.com> Date: Tue, 10 Mar 2026 12:12:01 +1100 Subject: [PATCH 3/9] Add SSHCommandHunt parser script --- Modules/bin/SSHCommandHunt.ps1 | 63 ++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 Modules/bin/SSHCommandHunt.ps1 diff --git a/Modules/bin/SSHCommandHunt.ps1 b/Modules/bin/SSHCommandHunt.ps1 new file mode 100644 index 000000000..0ace75c88 --- /dev/null +++ b/Modules/bin/SSHCommandHunt.ps1 @@ -0,0 +1,63 @@ +param( +[string]$Source, +[string]$Out +) + +$patterns = @( +"ssh -L", +"ssh -R", +"ssh -D", +"ssh -N", +"plink -L", +"plink -R", +"plink -D", +"netsh interface portproxy", +"chisel", +"ngrok", +"cloudflared", +"ligolo", +"frp", +"socat" +) + +$results = @() + +$files = Get-ChildItem -Path $Source -Recurse -File -ErrorAction SilentlyContinue + +foreach ($file in $files) { + +``` +try { + + $lines = Get-Content $file.FullName -ErrorAction SilentlyContinue + $lineNum = 0 + + foreach ($line in $lines) { + + $lineNum++ + + foreach ($pattern in $patterns) { + + if ($line -match $pattern) { + + $results += [PSCustomObject]@{ + FilePath = $file.FullName + FileName = $file.Name + LineNumber = $lineNum + PatternMatched = $pattern + CommandLine = $line + LastWriteTimeUtc = $file.LastWriteTimeUtc + } + + } + + } + + } + +} catch {} +``` + +} + +$results | Export-Csv $Out -NoTypeInformation From 17c349e22d942157b037b0ff95dd59e68f35b77e Mon Sep 17 00:00:00 2001 From: Aashiq Ahmed <153970357+cyber20233@users.noreply.github.com> Date: Tue, 10 Mar 2026 12:16:29 +1100 Subject: [PATCH 4/9] Rename SSHCommandHunt.mkape to SSHTunnelHunt.mkape --- Modules/Apps/{SSHCommandHunt.mkape => SSHTunnelHunt.mkape} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Modules/Apps/{SSHCommandHunt.mkape => SSHTunnelHunt.mkape} (100%) diff --git a/Modules/Apps/SSHCommandHunt.mkape b/Modules/Apps/SSHTunnelHunt.mkape similarity index 100% rename from Modules/Apps/SSHCommandHunt.mkape rename to Modules/Apps/SSHTunnelHunt.mkape From b632ad90103faa6412a0520a40c3ba6ce0d752f0 Mon Sep 17 00:00:00 2001 From: Aashiq Ahmed <153970357+cyber20233@users.noreply.github.com> Date: Tue, 10 Mar 2026 12:23:59 +1100 Subject: [PATCH 5/9] Update SSHTunnelHunt.mkape --- Modules/Apps/SSHTunnelHunt.mkape | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/Modules/Apps/SSHTunnelHunt.mkape b/Modules/Apps/SSHTunnelHunt.mkape index fc3fc29ec..f4093658d 100644 --- a/Modules/Apps/SSHTunnelHunt.mkape +++ b/Modules/Apps/SSHTunnelHunt.mkape @@ -7,7 +7,10 @@ BinaryUrl: https://github.com/EricZimmerman/KapeFiles ExportFormat: csv Processors: - - - Executable: powershell.exe - CommandLine: -ExecutionPolicy Bypass -NoProfile -File .\Modules\bin\SSHCommandHunt.ps1 -Source %sourceDirectory% -Out %destinationDirectory%\SSHCommandHits.csv - ExportFormat: csv + - + Executable: powershell.exe + CommandLine: -ExecutionPolicy Bypass -NoProfile -File .\Modules\bin\SSHCommandHunt.ps1 -Source %sourceDirectory% -Out %destinationDirectory%\SSHCommandHits.csv +ExportFormat: csv + +# Documentation +# Searches artifact text for command patterns associated with SSH tunneling and common pivoting tools such as ssh -L/-R/-D, plink, netsh portproxy, chisel, ngrok, cloudflared, ligolo, frp, and socat. From ba52ac15c827689875775d4d10888dbcf953900d Mon Sep 17 00:00:00 2001 From: Aashiq Ahmed <153970357+cyber20233@users.noreply.github.com> Date: Tue, 10 Mar 2026 12:34:44 +1100 Subject: [PATCH 6/9] Update SSHTunnelHunt.mkape --- Modules/Apps/SSHTunnelHunt.mkape | 1 - 1 file changed, 1 deletion(-) diff --git a/Modules/Apps/SSHTunnelHunt.mkape b/Modules/Apps/SSHTunnelHunt.mkape index f4093658d..0eec38e80 100644 --- a/Modules/Apps/SSHTunnelHunt.mkape +++ b/Modules/Apps/SSHTunnelHunt.mkape @@ -10,7 +10,6 @@ Processors: - Executable: powershell.exe CommandLine: -ExecutionPolicy Bypass -NoProfile -File .\Modules\bin\SSHCommandHunt.ps1 -Source %sourceDirectory% -Out %destinationDirectory%\SSHCommandHits.csv -ExportFormat: csv # Documentation # Searches artifact text for command patterns associated with SSH tunneling and common pivoting tools such as ssh -L/-R/-D, plink, netsh portproxy, chisel, ngrok, cloudflared, ligolo, frp, and socat. From 39c1cf6e0ea281a477aa3b97d7be2c4c64573439 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Mon, 9 Mar 2026 21:48:55 -0400 Subject: [PATCH 7/9] Delete Modules/bin/SSHCommandHunt.ps1 --- Modules/bin/SSHCommandHunt.ps1 | 63 ---------------------------------- 1 file changed, 63 deletions(-) delete mode 100644 Modules/bin/SSHCommandHunt.ps1 diff --git a/Modules/bin/SSHCommandHunt.ps1 b/Modules/bin/SSHCommandHunt.ps1 deleted file mode 100644 index 0ace75c88..000000000 --- a/Modules/bin/SSHCommandHunt.ps1 +++ /dev/null @@ -1,63 +0,0 @@ -param( -[string]$Source, -[string]$Out -) - -$patterns = @( -"ssh -L", -"ssh -R", -"ssh -D", -"ssh -N", -"plink -L", -"plink -R", -"plink -D", -"netsh interface portproxy", -"chisel", -"ngrok", -"cloudflared", -"ligolo", -"frp", -"socat" -) - -$results = @() - -$files = Get-ChildItem -Path $Source -Recurse -File -ErrorAction SilentlyContinue - -foreach ($file in $files) { - -``` -try { - - $lines = Get-Content $file.FullName -ErrorAction SilentlyContinue - $lineNum = 0 - - foreach ($line in $lines) { - - $lineNum++ - - foreach ($pattern in $patterns) { - - if ($line -match $pattern) { - - $results += [PSCustomObject]@{ - FilePath = $file.FullName - FileName = $file.Name - LineNumber = $lineNum - PatternMatched = $pattern - CommandLine = $line - LastWriteTimeUtc = $file.LastWriteTimeUtc - } - - } - - } - - } - -} catch {} -``` - -} - -$results | Export-Csv $Out -NoTypeInformation From 3eb7a40c339ea12a2f180ca2a50e5093721892b6 Mon Sep 17 00:00:00 2001 From: Aashiq Ahmed <153970357+cyber20233@users.noreply.github.com> Date: Tue, 10 Mar 2026 13:08:56 +1100 Subject: [PATCH 8/9] Update SSHTunnelHunt.mkape --- Modules/Apps/SSHTunnelHunt.mkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Apps/SSHTunnelHunt.mkape b/Modules/Apps/SSHTunnelHunt.mkape index 0eec38e80..7469f2524 100644 --- a/Modules/Apps/SSHTunnelHunt.mkape +++ b/Modules/Apps/SSHTunnelHunt.mkape @@ -3,7 +3,7 @@ Category: Apps Author: Aashiq Ahmed Version: 1.0 Id: 3a5b2f54-2b1d-4c7a-9a9e-6c7d52b7a8a1 -BinaryUrl: https://github.com/EricZimmerman/KapeFiles +BinaryUrl: https://raw.githubusercontent.com/cyber20233/SSHCommandHunt/main/SSHCommandHunt.ps1 ExportFormat: csv Processors: From 05a549908494736e994ce619d325ab2ec312d7c6 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Mon, 9 Mar 2026 22:11:10 -0400 Subject: [PATCH 9/9] Move Module from Apps to Apps\GitHub --- Modules/Apps/{ => GitHub}/SSHTunnelHunt.mkape | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Modules/Apps/{ => GitHub}/SSHTunnelHunt.mkape (100%) diff --git a/Modules/Apps/SSHTunnelHunt.mkape b/Modules/Apps/GitHub/SSHTunnelHunt.mkape similarity index 100% rename from Modules/Apps/SSHTunnelHunt.mkape rename to Modules/Apps/GitHub/SSHTunnelHunt.mkape