MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1563.001: SSH Hijacking

Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.

In order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent's socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial.

SSH Hijacking differs from use of SSH because it hijacks an existing SSH session rather than creating a new session using Valid Accounts.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Monitoring of process-start events where command line input contains: — 'grep SSH_AUTH_SOCK /proc/environ' or any other occurrences of the SSH_AUTH_SOCK environment variable; — 'SSH_AUTH_SOCK= ssh @' or 'SSH_AUTH_SOCK= ssh-add –l'.

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor newly executed processes that may hijack a legitimate user's SSH session to move laterally within an environment.

IDDS0029Data source and componentNetwork Traffic: Network Traffic ContentDescription

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may hijack a legitimate user's SSH session to move laterally within an environment.

IDDS0028Data source and componentLogon Session: Logon Session CreationDescription

Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. Also monitor user SSH-agent socket files being used by different users.

IDDS0029Data source and componentNetwork Traffic: Network Traffic FlowDescription

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Mitigation

IDM1022NameRestrict File and Directory PermissionsDescription

Ensure proper file permissions are set and harden system to prevent root privilege escalation opportunities.

IDM1042NameDisable or Remove Feature or ProgramDescription

Ensure that agent forwarding is disabled on systems that do not explicitly require this feature to prevent misuse.

IDM1027NamePassword PoliciesDescription

Ensure SSH key pairs have strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected.

IDM1026NamePrivileged Account ManagementDescription

Do not allow remote access via SSH as root or other privileged accounts.