Ssh… Don’t Tell Them I Am Not HTTPS: How Attackers Use SSH.exe as a Backdoor Into Your Network

This BHIS incident report describes attackers abusing Windows OpenSSH to establish reverse SSH tunnels (using flags like -f -N -R and StrictHostKeyChecking=no) from compromised servers into an external host, persisted via a scheduled task and a specially configured tunnel-only user with an empty password; the tunnels were used to proxy RDP and enable further access. The report highlights detection opportunities (egress filtering, application-layer firewalling, alerts for unusual SSH flags and suspicious known_hosts entries) and notes this technique is not widely documented in ATT&CK.