Living off the land with native SSH and split tunnelling

This report explains how attackers can leverage the built-in Windows OpenSSH client to create split-tunnel SSH proxies (dynamic/reverse port forwarding), allowing internal network traffic to be routed through an external server and enabling stealthy operations (e.g., via proxychains) without deploying full C2. It provides minimal setup guidance (SSH keys, SOCKS proxy) and recommends defenses: restrict or remove the SSH client from endpoints, ensure full removal of lingering binaries, and reassess split-tunneling/VPN routing to consolidate monitoring and reduce exposure.