Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-17 | Remote Access | Protects | T1021.004 | SSH |
AC-02 | Account Management | Protects | T1021.004 | SSH |
AC-20 | Use of External Systems | Protects | T1021.004 | SSH |
AC-03 | Access Enforcement | Protects | T1021.004 | SSH |
AC-05 | Separation of Duties | Protects | T1021.004 | SSH |
AC-06 | Least Privilege | Protects | T1021.004 | SSH |
AC-07 | Unsuccessful Logon Attempts | Protects | T1021.004 | SSH |
CM-02 | Baseline Configuration | Protects | T1021.004 | SSH |
CM-05 | Access Restrictions for Change | Protects | T1021.004 | SSH |
CM-06 | Configuration Settings | Protects | T1021.004 | SSH |
CM-08 | System Component Inventory | Protects | T1021.004 | SSH |
IA-02 | Identification and Authentication (organizational Users) | Protects | T1021.004 | SSH |
IA-05 | Authenticator Management | Protects | T1021.004 | SSH |
RA-05 | Vulnerability Monitoring and Scanning | Protects | T1021.004 | SSH |
SI-04 | System Monitoring | Protects | T1021.004 | SSH |