1. Home
  2. ATT&CK Techniques
  3. T1021.004 SSH

T1021.004 SSH

Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.

SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-01.05 Remote access protection Mitigates T1021.004 SSH
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
    PR.AA-05.02 Privileged system access Mitigates T1021.004 SSH
    Comments
    This diagnostic statement protects against SSH through the use of privileged account management and the use of multi-factor authentication.
    References
      PR.AA-02.01 Authentication of identity Mitigates T1021.004 SSH
      Comments
      This diagnostic statement provides protection from Remote Services through the implementation of authentication and identity management controls to limit lateral movement. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to move laterally.
      References
        PR.PS-01.07 Cryptographic keys and certificates Mitigates T1021.004 SSH
        Comments
        This diagnostic statement protects against Remote Services: SSH through the use of revocation of keys and key management. Employing key protection strategies for key material used in SSH, limitations to specific accounts along with access control mechanisms limits adversaries attempting to use valid accounts on SSH.
        References
          PR.AA-03.01 Authentication requirements Mitigates T1021.004 SSH
          Comments
          This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
          References
            PR.AA-01.01 Identity and credential management Mitigates T1021.004 SSH
            Comments
            This diagnostic statement protects against SSH through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
            References

              NIST 800-53 Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              CM-06 Configuration Settings mitigates T1021.004 SSH
              CM-05 Access Restrictions for Change mitigates T1021.004 SSH
              IA-05 Authenticator Management mitigates T1021.004 SSH
              AC-17 Remote Access mitigates T1021.004 SSH
              RA-05 Vulnerability Monitoring and Scanning mitigates T1021.004 SSH
              CM-08 System Component Inventory mitigates T1021.004 SSH
              AC-20 Use of External Systems mitigates T1021.004 SSH
              CM-02 Baseline Configuration mitigates T1021.004 SSH
              IA-02 Identification and Authentication (Organizational Users) mitigates T1021.004 SSH
              SI-04 System Monitoring mitigates T1021.004 SSH
              AC-02 Account Management mitigates T1021.004 SSH
              AC-03 Access Enforcement mitigates T1021.004 SSH
              AC-05 Separation of Duties mitigates T1021.004 SSH
              AC-06 Least Privilege mitigates T1021.004 SSH
              AC-07 Unsuccessful Logon Attempts mitigates T1021.004 SSH

              Azure Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening technique_scores T1021.004 SSH
              Comments
              This control may provide recommendations to ensure sshd is not running within Docker containers. This can prevent attackers from utilizing unmonitored SSH servers within containers. This may not prevent attackers from installing a SSH server in containers or hosts.
              References
              1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/harden-docker-hosts
              alerts_for_linux_machines Alerts for Linux Machines technique_scores T1021.004 SSH
              Comments
              This control may alerts on SSH brute force attempts, addition of new SSH keys, and usage of a SSH server within a container. Alerts may not be generated by usage of existing SSH keys by malicious actors for lateral movement.
              References
              1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-linux
              azure_network_security_groups Azure Network Security Groups technique_scores T1021.004 SSH
              Comments
              This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
              References
              1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
              azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics technique_scores T1021.004 SSH
              Comments
              This control can detect anomalous traffic with respect to remote access protocols and groups.
              References
              1. https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics?tabs=Americas
              azure_policy Azure Policy technique_scores T1021.004 SSH
              Comments
              This control may provide recommendations to restrict public SSH access and enable usage of SSH keys.
              References
              1. https://learn.microsoft.com/en-us/azure/governance/policy/overview

              GCP Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              shielded_vm Shielded VM technique_scores T1021.004 SSH
              Comments
              Chronicle is able to trigger an alert based on accounts and authorized device access to a certain IP range (e.g., "Attempted Lateral Movement via SSH metadata pivoting"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/tree/main/gcp_cloudaudit
              References
              1. ['https://cloud.google.com/security/products/security-operations'
              2. 'https://github.com/chronicle/detection-rules']
              vpc_service_controls VPC Service Controls technique_scores T1021.004 SSH
              Comments
              This control can be used to detect adversaries that may try to use Valid Accounts to log into remote machines using Secure Shell (SSH).
              References
              1. ['https://cloud.google.com/identity']

              AWS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              amazon_inspector Amazon Inspector technique_scores T1021.004 SSH
              Comments
              The Amazon Inspector Best Practices assessment package can detect a security control setting related to remote service access on Linux endpoints. Specifically, "Disable root login over SSH". This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against adversaries accessing remote services. Given Amazon Inspector can only assess this security control on Linux platforms (although it also supports Windows) and it only restricts access to remote services for one user account, the coverage score is Minimal leading to an overall Minimal score.
              References
                amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1021.004 SSH
                Comments
                VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
                References
                  aws_network_firewall AWS Network Firewall technique_scores T1021.004 SSH
                  Comments
                  AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.
                  References