Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника SSH
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
SSH
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Remote Services:  SSH

ID Название
.001 Протокол удаленного рабочего стола
.002 Общие SMB-ресурсы или ресурсы администраторов Windows
.003 Распределенная COM-модель
.004 SSH
.005 VNC
.006 Служба удаленного управления Windows

Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user. SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.

ID: T1021.004
Относится к технике:  T1021
Тактика(-и): Lateral Movement
Платформы: Linux, macOS
Источники данных: Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation, Process: Process Creation
Версия: 1.1
Дата создания: 11 Feb 2020
Последнее изменение: 15 Oct 2021

Примеры процедур
Название Описание
FIN7

FIN7 has used SSH to move laterally through victim environments.(Citation: CrowdStrike Carbon Spider August 2021)
Lazarus Group

Lazarus Group used SSH and the PuTTy PSCP utility to gain access to a restricted segment of a compromised network.(Citation: Kaspersky ThreatNeedle Feb 2021)
Leviathan

Leviathan used ssh for internal reconnaissance.(Citation: FireEye APT40 March 2019)
BlackTech

BlackTech has used Putty for remote access.(Citation: Symantec Palmerworm Sep 2020)
Empire

Empire contains modules for executing commands over SSH as well as in-memory VNC agent injection.(Citation: Github PowerShell Empire)
Cobalt Strike

Cobalt Strike can SSH to a remote service.(Citation: Cobalt Strike TTPs Dec 2017)
Cobalt Strike

Cobalt Strike can SSH to a remote service.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: Cobalt Strike Manual 4.3 November 2020)
GCMAN

GCMAN uses Putty for lateral movement.(Citation: Securelist GCMAN)
TEMP.Veles

TEMP.Veles has relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.(Citation: FireEye TRITON 2019)
Kinsing

Kinsing has used SSH for lateral movement.(Citation: Aqua Kinsing April 2020)
Fox Kitten

Fox Kitten has used the PuTTY and Plink tools for lateral movement.(Citation: CISA AA20-259A Iran-Based Actor September 2020)
TeamTNT

TeamTNT has used SSH to connect back to victim machines.(Citation: Intezer TeamTNT September 2020) TeamTNT has also used SSH to transfer tools and payloads onto victim hosts and execute them.(Citation: Cisco Talos Intelligence Group)
OilRig

OilRig has used Putty to access compromised systems.(Citation: Unit 42 Playbook Dec 2017)
menuPass

menuPass has used Putty Secure Copy Client (PSCP) to transfer data.(Citation: PWC Cloud Hopper April 2017)
Rocke

Rocke has spread its coinminer via SSH.(Citation: Anomali Rocke March 2019)

APT39

APT39 used secure shell (SSH) to move laterally among their targets.(Citation: FireEye APT39 Jan 2019)

Контрмеры
Контрмера Описание
Disable or Remove Feature or Program

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
Multi-factor Authentication

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.
User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Обнаружение

Use of SSH may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. On macOS systems log show --predicate 'process = "sshd"' can be used to review incoming SSH connection attempts for suspicious activity. The command log show --info --predicate 'process = "ssh" or eventMessage contains "ssh"' can be used to review outgoing SSH connection activity.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing) On Linux systems SSH activity can be found in the logs located in /var/log/auth.log or /var/log/secure depending on the distro you are using.

Ссылки

  1. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
  2. Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021.
  3. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  4. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  5. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  6. Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022.
  7. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  8. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  9. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  10. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  11. Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019.
  12. Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
  13. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  14. Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021.
  15. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  16. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  17. Kaspersky Lab's Global Research & Analysis Team. (2016, February 8). APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks. Retrieved April 20, 2016.
  18. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.