Remote Services: SSH

Adversaries may use "living-off-the-land" approach and utilize Secure Shell (SSH) that is typically preinstalled on the victims' machines in order to perform Lateral Movement to other targets and to maintain External Remote Service.

SSH is the standard protocol for remote access to Linux (and Unix-like) servers, MacOS and Windows machines. SSH is widely used in the production environment, and used by developers running scripts to connect to several servers at once for tests, for configuration management software (like Terraform, Chef, Puppet, Ansible) that connect to target hosts to make local changes, and by CI/CD automation tools that connect to production servers to configure runtimes and push software builds.[1]

SSH is preinstalled in Linux and macOS by default and can be enabled by the attacker if disabled to be used for Persistence

In case where password-authentication is enabled, attackers may attempt to perform Brute Force attack on the login using hardcoded common user-password combinations.

In cases where private-public key cryptography is implemented, attackers will attempt to collect Private Keys and use Valid Accounts to log into remote machines using SSH.

By using a compromised private key, adversaries can perform actions as the logged-on user.

Procedure Examples

Name Description
APT20

APT20 is using SSH to laterally move in the victim's network

APT39

APT39 used secure shell (SSH) to move laterally among their targets. [2]

APT40

APT40 used SSH for internal reconnaissance and lateral movement.[3]

Cobalt Strike

Cobalt Strike can SSH to a remote service.[4]

Rocke

Rocke laterally moves across the network through SSH to infect further machines with a cryptominer.[5][6][7]

UNC1945

The group uses SSH Remote Services for Lateral Movement within the network and to third party networks and for Persistence on the network, by enabling Port Forwarding.

Windigo

Windigo uses SSH Remote Services to persist on infected machines.

Mitigations

Mitigation Description
SSH Protect

Manage SSH keys as a security asset

Detection

Use of SSH may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.

References

Attachments

ID
VT0020.001
Sub-techniques
Tactic
Lateral Movement
Platforms
Linux
macOS
System Requirements
An SSH server is configured and running.
Data Sources
Authentication logs
Netflow/Enclave netflow
Network protocol analysis
Process use of network
CAPEC ID
Version
1.0

Created: 16 March 2021

Last Modified: 16 March 2021