Description
Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.
In order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent's socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial.(Citation: Slideshare Abusing SSH)(Citation: SSHjack Blackhat)(Citation: Clockwork SSH Agent Hijacking)(Citation: Breach Post-mortem SSH Hijack)
SSH Hijacking differs from use of SSH because it hijacks an existing SSH session rather than creating a new session using Valid Accounts.
Platforms
Mitigations (4)
Restrict File and Directory PermissionsM1022
Ensure proper file permissions are set and harden system to prevent root privilege escalation opportunities.
Disable or Remove Feature or ProgramM1042
Ensure that agent forwarding is disabled on systems that do not explicitly require this feature to prevent misuse. (Citation: Symantec SSH and ssh-agent)
Password PoliciesM1027
Ensure SSH key pairs have strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected.
Privileged Account ManagementM1026
Do not allow remote access via SSH as root or other privileged accounts.
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S1220 | MEDUSA | Malware | [MEDUSA](https://attack.mitre.org/software/S1220) can be configured to capture SSH credentials via SSH hijacking.(Citation: Google Cloud Mandiant UNC3... |
References
- Adam Boileau. (2005, August 5). Trust Transience: Post Intrusion SSH Hijacking. Retrieved December 19, 2017.
- Beuchler, B. (2012, September 28). SSH Agent Hijacking. Retrieved November 17, 2024.
- Duarte, H., Morrison, B. (2012). (Mis)trusting and (ab)using ssh. Retrieved January 8, 2018.
- Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr 11 security incident. Retrieved November 17, 2024.
Frequently Asked Questions
What is T1563.001 (SSH Hijacking)?
T1563.001 is a MITRE ATT&CK technique named 'SSH Hijacking'. It belongs to the Lateral Movement tactic(s). Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to...
How can T1563.001 be detected?
Detection of T1563.001 (SSH Hijacking) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1563.001?
There are 4 documented mitigations for T1563.001. Key mitigations include: Restrict File and Directory Permissions, Disable or Remove Feature or Program, Password Policies, Privileged Account Management.
Which threat groups use T1563.001?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.