T1563.001 SSH Hijacking Mappings

Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.

In order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent's socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial.(Citation: Slideshare Abusing SSH)(Citation: SSHjack Blackhat)(Citation: Clockwork SSH Agent Hijacking)(Citation: Breach Post-mortem SSH Hijack)

SSH Hijacking differs from use of SSH because it hijacks an existing SSH session rather than creating a new session using Valid Accounts.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1563.001 SSH Hijacking
AC-2 Account Management Protects T1563.001 SSH Hijacking
AC-3 Access Enforcement Protects T1563.001 SSH Hijacking
AC-5 Separation of Duties Protects T1563.001 SSH Hijacking
AC-6 Least Privilege Protects T1563.001 SSH Hijacking
CA-7 Continuous Monitoring Protects T1563.001 SSH Hijacking
CM-2 Baseline Configuration Protects T1563.001 SSH Hijacking
CM-5 Access Restrictions for Change Protects T1563.001 SSH Hijacking
CM-6 Configuration Settings Protects T1563.001 SSH Hijacking
CM-7 Least Functionality Protects T1563.001 SSH Hijacking
CM-8 System Component Inventory Protects T1563.001 SSH Hijacking
IA-2 Identification and Authentication (organizational Users) Protects T1563.001 SSH Hijacking
IA-5 Authenticator Management Protects T1563.001 SSH Hijacking
RA-5 Vulnerability Monitoring and Scanning Protects T1563.001 SSH Hijacking
SC-12 Cryptographic Key Establishment and Management Protects T1563.001 SSH Hijacking
SC-23 Session Authenticity Protects T1563.001 SSH Hijacking
SI-4 System Monitoring Protects T1563.001 SSH Hijacking
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1563.001 Remote Service Session Hijacking: SSH Hijacking
action.malware.vector.Network propagation Network propagation related-to T1563.001 Remote Service Session Hijacking: SSH Hijacking