Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1021.004 | SSH | |
| CM-05 | Access Restrictions for Change | mitigates | T1021.004 | SSH | |
| IA-05 | Authenticator Management | mitigates | T1021.004 | SSH | |
| AC-17 | Remote Access | mitigates | T1021.004 | SSH | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1021.004 | SSH | |
| CM-08 | System Component Inventory | mitigates | T1021.004 | SSH | |
| AC-20 | Use of External Systems | mitigates | T1021.004 | SSH | |
| CM-02 | Baseline Configuration | mitigates | T1021.004 | SSH | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1021.004 | SSH | |
| SI-04 | System Monitoring | mitigates | T1021.004 | SSH | |
| AC-02 | Account Management | mitigates | T1021.004 | SSH | |
| AC-03 | Access Enforcement | mitigates | T1021.004 | SSH | |
| AC-05 | Separation of Duties | mitigates | T1021.004 | SSH | |
| AC-06 | Least Privilege | mitigates | T1021.004 | SSH | |
| AC-07 | Unsuccessful Logon Attempts | mitigates | T1021.004 | SSH |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| shielded_vm | Shielded VM | technique_scores | T1021.004 | SSH |
Comments
Chronicle is able to trigger an alert based on accounts and authorized device access to a certain IP range (e.g., "Attempted Lateral Movement via SSH metadata pivoting").
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/tree/main/gcp_cloudaudit
References
|
| vpc_service_controls | VPC Service Controls | technique_scores | T1021.004 | SSH |
Comments
This control can be used to detect adversaries that may try to use Valid Accounts to log into remote machines using Secure Shell (SSH).
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_inspector | Amazon Inspector | technique_scores | T1021.004 | SSH |
Comments
The Amazon Inspector Best Practices assessment package can detect a security control setting related to remote service access on Linux endpoints. Specifically, "Disable root login over SSH". This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against adversaries accessing remote services. Given Amazon Inspector can only assess this security control on Linux platforms (although it also supports Windows) and it only restricts access to remote services for one user account, the coverage score is Minimal leading to an overall Minimal score.
References
|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1021.004 | SSH |
Comments
VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1021.004 | SSH |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.
References
|