Remote Service Session Hijacking: SSH Hijacking

ID Name
T1563.001 SSH Hijacking
T1563.002 RDP Hijacking

Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.

In order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent's socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial.[1][2][3][4]

SSH Hijacking differs from use of SSH because it hijacks an existing SSH session rather than creating a new session using Valid Accounts.

ID: T1563.001
Sub-technique of:  T1563
Platforms: Linux, macOS
System Requirements: SSH service enabled, trust relationships configured, established connections
Permissions Required: root
Contributors: Anastasios Pingios
Version: 1.0
Created: 25 February 2020
Last Modified: 23 March 2020

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Ensure that agent forwarding is disabled on systems that do not explicitly require this feature to prevent misuse. [5]

M1027 Password Policies

Ensure SSH key pairs have strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected.

M1026 Privileged Account Management

Do not allow remote access via SSH as root or other privileged accounts.

M1022 Restrict File and Directory Permissions

Ensure proper file permissions are set and harden system to prevent root privilege escalation opportunities.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0028 Logon Session Logon Session Creation
DS0029 Network Traffic Network Traffic Content
Network Traffic Flow
DS0009 Process Process Creation

Use of SSH may be legitimate, depending upon the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. Also monitor user SSH-agent socket files being used by different users.

References