Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.
APT39 used secure shell (SSH) to move laterally among their targets.
Cobalt Strike can SSH to a remote service.
Empire contains modules for executing commands over SSH as well as in-memory VNC agent injection.
FIN7 has used SSH to move laterally through victim environments.
Fox Kitten has used the PuTTY and Plink tools for lateral movement.
Lazarus Group used SSH and the PuTTy PSCP utility to gain access to a restricted segment of a compromised network.
menuPass has used Putty Secure Copy Client (PSCP) to transfer data.
TeamTNT has used SSH to connect back to victim machines. TeamTNT has also used SSH to transfer tools and payloads onto victim hosts and execute them.
TEMP.Veles has relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.
|M1042||Disable or Remove Feature or Program||
Disable the SSH daemon on systems that do not require it. For macOS ensure Remote Login is disabled under Sharing Preferences.
Require multi-factor authentication for SSH connections wherever possible, such as password protected SSH keys.
|M1018||User Account Management||
Limit which user accounts are allowed to login via SSH.
|ID||Data Source||Data Component||Detects|
|DS0028||Logon Session||Logon Session Creation||
Monitor for user accounts logged into systems that may use Valid Accounts to log into remote machines using Secure Shell (SSH). For example, on Linux systems SSH logon activity can be found in the logs located in
|DS0029||Network Traffic||Network Connection Creation||
Monitor for newly constructed network connections (typically port 22) that may use Valid Accounts to log into remote machines using Secure Shell (SSH). Use of SSH may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH.
Monitor for newly executed processes that may use Valid Accounts to log into remote machines using Secure Shell (SSH). For example, on macOS systems