Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.(Citation: SSH Secure Shell)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-17 | Remote Access | Protects | T1021.004 | SSH | |
| AC-2 | Account Management | Protects | T1021.004 | SSH | |
| AC-20 | Use of External Systems | Protects | T1021.004 | SSH | |
| AC-3 | Access Enforcement | Protects | T1021.004 | SSH | |
| AC-5 | Separation of Duties | Protects | T1021.004 | SSH | |
| AC-6 | Least Privilege | Protects | T1021.004 | SSH | |
| AC-7 | Unsuccessful Logon Attempts | Protects | T1021.004 | SSH | |
| CM-2 | Baseline Configuration | Protects | T1021.004 | SSH | |
| CM-5 | Access Restrictions for Change | Protects | T1021.004 | SSH | |
| CM-6 | Configuration Settings | Protects | T1021.004 | SSH | |
| CM-8 | System Component Inventory | Protects | T1021.004 | SSH | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1021.004 | SSH | |
| IA-5 | Authenticator Management | Protects | T1021.004 | SSH | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1021.004 | SSH | |
| SI-4 | System Monitoring | Protects | T1021.004 | SSH |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | technique_scores | T1021.004 | SSH |
Comments
This control may alerts on SSH brute force attempts, addition of new SSH keys, and usage of a SSH server within a container. Alerts may not be generated by usage of existing SSH keys by malicious actors for lateral movement.
References
|
| network_security_groups | Network Security Groups | technique_scores | T1021.004 | SSH |
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1021.004 | SSH |
Comments
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which contains modules for executing commands over SSH as well as in-memory VNC agent injection, but does not address other procedures. Azure Sentinel Analytics also provides a "New internet-exposed SSH endpoints" query.
The coverage for these queries is minimal resulting in an overall Minimal score.
References
|
| azure_policy | Azure Policy | technique_scores | T1021.004 | SSH |
Comments
This control may provide recommendations to restrict public SSH access and enable usage of SSH keys.
References
|
| azure_network_traffic_analytics | Azure Network Traffic Analytics | technique_scores | T1021.004 | SSH |
Comments
This control can detect anomalous traffic with respect to remote access protocols and groups.
References
|
| docker_host_hardening | Docker Host Hardening | technique_scores | T1021.004 | SSH |
Comments
This control may provide recommendations to ensure sshd is not running within Docker containers. This can prevent attackers from utilizing unmonitored SSH servers within containers. This may not prevent attackers from installing a SSH server in containers or hosts.
References
|