MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1021.004: SSH

Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.

SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

unix_mitre_attck_command_and_control: PT-CR-1700: Unix_Proxy_Forwarding: Possible traffic tunneling from a Unix host to a Windows host
profiling: PT-CR-1035: App_1C_User_PC_Abnormal_Access: A suspicious logon to a host with access to the 1C application. Authentication data differ from the collected profile.
profiling: PT-CR-1040: Release_Build_Agent_Abnormal_Access: Suspicious logon to a build agent server. Authentication data differ from the collected profile.
profiling: PT-CR-1044: Developer_PC_Abnormal_Access: Suspicious logon to a developer's computer. Authentication data differ from the collected profile.
profiling: PT-CR-1045: VCS_Server_Abnormal_Access: Suspicious logon to a version control system. Authentication data differ from the collected profile.
profiling: PT-CR-1049: Subrule_Unix_Server_Abnormal_Access: Suspicious connections via SSH to Unix network servers. Authentication data differ from the collected profile.
profiling: PT-CR-1052: Antivirus_Server_Abnormal_Access: Suspicious logon to an antivirus server. Authentication data differ from the collected profile.
profiling: PT-CR-1070: Top_Managers_Abnormal_Access: Suspicious logon to a top manager workstation. Authentication data differ from the collected profile.
profiling: PT-CR-1810: Critical_Server_Abnormal_Access: Suspicious logon to a critical server. Authentication data differ from the collected profile.
profiling: PT-CR-1812: App_1C_Server_Abnormal_Access: Suspicious logon to the 1C application server. Authentication data differ from the collected profile.
unix_mitre_attck_lateral_movement: PT-CR-487: Unix_SSH_Login_by_Daemons: Lateral movement on behalf of a service account is detected. Attackers can use known service accounts to gain remote access to the target system.
profiling: PT-CR-228: Domain_Controller_Abnormal_Access: Suspicious logon to a domain controller. Authentication data differ from the collected profile.

Detection

IDDS0029Data source and componentNetwork Traffic: Network Connection CreationDescription

Monitor for newly constructed network connections (typically port 22) that may use Valid Accounts to log into remote machines using Secure Shell (SSH). Use of SSH may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH.

Network Analysis Frameworks such as Zeek can be used to capture, decode, and alert on network traffic. Accordingly, they can be used to look for the creation of SSH network connections.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly executed processes that may use Valid Accounts to log into remote machines using Secure Shell (SSH). For example, on macOS systems log show --predicate 'process = "sshd"' can be used to review incoming SSH connection attempts for suspicious activity. The command log show --info --predicate 'process = "ssh" or eventMessage contains "ssh"' can be used to review outgoing SSH connection activity.

For Linux systems, the Audit framework (auditd) can be used to monitor for the creation of SSH related processes such as ssh.

For macOS systems (10.12+), the above command can be used to look through the Unified Logs for SSH connection activity, though we also recommend including the “—debug” parameter to ensure that all relevant data is returned: log show --info --debug --predicate 'process = "ssh" or eventMessage contains "ssh"'

IDDS0028Data source and componentLogon Session: Logon Session CreationDescription

Monitor for user accounts logged into systems that may use Valid Accounts to log into remote machines using Secure Shell (SSH). For example, on Linux systems SSH logon activity can be found in the logs located in /var/log/auth.log or /var/log/secure depending on the distro you are using.

For Linux systems, the Audit framework (auditd) can be used to monitor any writes to SSH log files that store information about logged in accounts such as /var/log/auth.log.

For macOS systems (10.12+), Unified Logs can be queried to show SSH daemon (sshd) messages that include information on logged in accounts. The following command-line can be used to query the last hour’s worth of unified logs in this manner: log show -info --debug --predicate 'processImagePath CONTAINS "sshd" AND eventMessage CONTAINS "Accepted"' --last 1h | grep sshd

Mitigation

IDM1042NameDisable or Remove Feature or ProgramDescription

Disable the SSH daemon on systems that do not require it. For macOS ensure Remote Login is disabled under Sharing Preferences.

IDM1032NameMulti-factor AuthenticationDescription

Require multi-factor authentication for SSH connections wherever possible, such as password protected SSH keys.

IDM1018NameUser Account ManagementDescription

Limit which user accounts are allowed to login via SSH.