T1021.004 SSH
Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.
| Item | Value |
|---|---|
| ID | T1021.004 |
| Sub-techniques | T1021.001, T1021.002, T1021.003, T1021.004, T1021.005, T1021.006, T1021.007 |
| Tactics | TA0008 |
| Platforms | Linux, macOS |
| Version | 1.1 |
| Created | 11 February 2020 |
| Last Modified | 30 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0087 | APT39 | APT39 used secure shell (SSH) to move laterally among their targets.11 |
| G0098 | BlackTech | BlackTech has used Putty for remote access.15 |
| S0154 | Cobalt Strike | Cobalt Strike can SSH to a remote service.45 |
| S0363 | Empire | Empire contains modules for executing commands over SSH as well as in-memory VNC agent injection.2 |
| G0046 | FIN7 | FIN7 has used SSH to move laterally through victim environments.10 |
| G0117 | Fox Kitten | Fox Kitten has used the PuTTY and Plink tools for lateral movement.16 |
| G0036 | GCMAN | GCMAN uses Putty for lateral movement.18 |
| S0599 | Kinsing | Kinsing has used SSH for lateral movement.3 |
| G0032 | Lazarus Group | Lazarus Group used SSH and the PuTTy PSCP utility to gain access to a restricted segment of a compromised network.14 |
| G0065 | Leviathan | Leviathan used ssh for internal reconnaissance.6 |
| G0045 | menuPass | menuPass has used Putty Secure Copy Client (PSCP) to transfer data.7 |
| G0049 | OilRig | OilRig has used Putty to access compromised systems.8 |
| G0106 | Rocke | Rocke has spread its coinminer via SSH.9 |
| G0139 | TeamTNT | TeamTNT has used SSH to connect back to victim machines.13 TeamTNT has also used SSH to transfer tools and payloads onto victim hosts and execute them.12 |
| G0088 | TEMP.Veles | TEMP.Veles has relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.17 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program | Disable the SSH daemon on systems that do not require it. For macOS ensure Remote Login is disabled under Sharing Preferences.1 |
| M1032 | Multi-factor Authentication | Require multi-factor authentication for SSH connections wherever possible, such as password protected SSH keys. |
| M1018 | User Account Management | Limit which user accounts are allowed to login via SSH. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0028 | Logon Session | Logon Session Creation |
| DS0029 | Network Traffic | Network Connection Creation |
| DS0009 | Process | Process Creation |
References
-
Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021. ↩
-
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. ↩
-
Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021. ↩
-
Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017. ↩
-
Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. ↩
-
Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019. ↩
-
PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017. ↩
-
Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023. ↩
-
Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. ↩
-
Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. ↩
-
Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. ↩
-
Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. ↩
-
Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021. ↩
-
Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. ↩
-
Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022. ↩
-
CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. ↩
-
Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. ↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2016, February 8). APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks. Retrieved April 20, 2016. ↩