1. Home
  2. Techniques
  3. Enterprise
  4. Remote Services
  5. SSH

Remote Services: SSH

ID Name
T1021.001 Remote Desktop Protocol
T1021.002 SMB/Windows Admin Shares
T1021.003 Distributed Component Object Model
T1021.004 SSH
T1021.005 VNC
T1021.006 Windows Remote Management

Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.

SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.

ID: T1021.004
Sub-technique of:  T1021
Tactic: Lateral Movement
Platforms: Linux, macOS
System Requirements: An SSH server is configured and running.
CAPEC ID: CAPEC-555
Version: 1.1
Created: 11 February 2020
Last Modified: 15 October 2021
Provided by LAYER 8

Procedure Examples

ID Name Description
G0087 APT39

APT39 used secure shell (SSH) to move laterally among their targets.[1]
S0154 Cobalt Strike

Cobalt Strike can SSH to a remote service.[2][3]
S0363 Empire

Empire contains modules for executing commands over SSH as well as in-memory VNC agent injection.[4]
G0046 FIN7

FIN7 has used SSH to move laterally through victim environments.[5]
G0117 Fox Kitten

Fox Kitten has used the PuTTY and Plink tools for lateral movement.[6]
G0036 GCMAN

GCMAN uses Putty for lateral movement.[7]
S0599 Kinsing

Kinsing has used SSH for lateral movement.[8]
G0065 Leviathan

Leviathan used ssh for internal reconnaissance.[9]
G0045 menuPass

menuPass has used Putty Secure Copy Client (PSCP) to transfer data.[10]
G0049 OilRig

OilRig has used Putty to access compromised systems.[11]
G0106 Rocke

Rocke has spread its coinminer via SSH.[12]

G0139 TeamTNT

TeamTNT has used SSH to connect back to victim machines.[13]
G0088 TEMP.Veles

TEMP.Veles has relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.[14]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Disable the SSH daemon on systems that do not require it. For macOS ensure Remote Login is disabled under Sharing Preferences.[15]
M1032 Multi-factor Authentication

Require multi-factor authentication for SSH connections wherever possible, such as password protected SSH keys.
M1018 User Account Management

Limit which user accounts are allowed to login via SSH.

Detection

ID Data Source Data Component
DS0028 Logon Session Logon Session Creation
DS0029 Network Traffic Network Connection Creation
DS0009 Process Process Creation

Use of SSH may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.

On macOS systems log show --predicate 'process = "sshd"' can be used to review incoming SSH connection attempts for suspicious activity. The command log show --info --predicate 'process = "ssh" or eventMessage contains "ssh"' can be used to review outgoing SSH connection activity.[15]

On Linux systems SSH activity can be found in the logs located in /var/log/auth.log or /var/log/secure depending on the distro you are using.

References

  1. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  2. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
  3. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  4. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  5. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  6. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  7. Kaspersky Lab's Global Research & Analysis Team. (2016, February 8). APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks. Retrieved April 20, 2016.
  8. Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
  1. Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019.
  2. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  3. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  4. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  5. Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021.
  6. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  7. Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021.