T1563.001 SSH Hijacking
Adversaries may hijack a legitimate user’s SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.
In order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent’s socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial.1234
SSH Hijacking differs from use of SSH because it hijacks an existing SSH session rather than creating a new session using Valid Accounts.
Item | Value |
---|---|
ID | T1563.001 |
Sub-techniques | T1563.001, T1563.002 |
Tactics | TA0008 |
Platforms | Linux, macOS |
Permissions required | root |
Version | 1.0 |
Created | 25 February 2020 |
Last Modified | 23 March 2020 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1042 | Disable or Remove Feature or Program | Ensure that agent forwarding is disabled on systems that do not explicitly require this feature to prevent misuse. 5 |
M1027 | Password Policies | Ensure SSH key pairs have strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected. |
M1026 | Privileged Account Management | Do not allow remote access via SSH as root or other privileged accounts. |
M1022 | Restrict File and Directory Permissions | Ensure proper file permissions are set and harden system to prevent root privilege escalation opportunities. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0028 | Logon Session | Logon Session Creation |
DS0029 | Network Traffic | Network Traffic Content |
DS0009 | Process | Process Creation |
References
-
Adam Boileau. (2005, August 5). Trust Transience: Post Intrusion SSH Hijacking. Retrieved December 19, 2017. ↩
-
Beuchler, B. (2012, September 28). SSH Agent Hijacking. Retrieved December 20, 2017. ↩
-
Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr 11 security incident. Retrieved February 17, 2020. ↩
-
Hatch, B. (2004, November 22). SSH and ssh-agent. Retrieved January 8, 2018. ↩