- Tactics
- Lateral Movement
- Platforms
- Linux, macOS
- Reference
- attack.mitre.org/techniques/T1563.001
Description
Adversaries may hijack a legitimate user’s SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.
In order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent’s socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial.(Citation: Slideshare Abusing SSH)(Citation: SSHjack Blackhat)(Citation: Clockwork SSH Agent Hijacking)(Citation: Breach Post-mortem SSH Hijack)
SSH Hijacking differs from use of SSH because it hijacks an existing SSH session rather than creating a new session using Valid Accounts.
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the Lateral Movement tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1021 — Remote Services
- T1072 — Software Deployment Tools
- T1080 — Taint Shared Content
- T1091 — Replication Through Removable Media
- T1210 — Exploitation of Remote Services
- T1534 — Internal Spearphishing
- T1550 — Use Alternate Authentication Material
- T1563 — Remote Service Session Hijacking
- T1570 — Lateral Tool Transfer