Remote Services: SSH

Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.

SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.[1]

ID: T1021.004
Sub-technique of:  T1021
Tactic: Lateral Movement
Platforms: Linux, macOS
System Requirements: An SSH server is configured and running.
Data Sources: Authentication logs, Netflow/Enclave netflow, Network protocol analysis, Process use of network
Version: 1.0
Created: 11 February 2020
Last Modified: 23 March 2020

Procedure Examples

Name Description

APT39 used secure shell (SSH) to move laterally among their targets. [2]

Cobalt Strike

Cobalt Strike can SSH to a remote service.[3]


Empire contains modules for executing commands over SSH as well as in-memory VNC agent injection.[4]


GCMAN uses Putty for lateral movement.[5]


Leviathan used ssh for internal reconnaissance.[6]


menuPass has used Putty Secure Copy Client (PSCP) to transfer data.[7]


OilRig has used Putty to access compromised systems.[8]


Rocke has spread its coinminer via SSH.[9]


TEMP.Veles has relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.[10]


Mitigation Description
Disable or Remove Feature or Program

Disable the SSH daemon on systems that do not require it.

Multi-factor Authentication

Require multi-factor authentication for SSH connections wherever possible.

User Account Management

Limit which user accounts are allowed to login via SSH.


Use of SSH may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.