Info
ID: AT-GA003.001
Technique: External Remote Services
Tactic: Gain Access
Platforms: Linux, macOS, Windows
Supports Remote: Yes
Version: 1.0
SSH Access
SSH (Secure Shell) is a cryptographic network protocol used for secure remote access, command execution, and data transfer. Attackers target SSH services as a primary vector for gaining initial access to networks and systems. The exploitation occurs through various methods including brute force attacks against weak credentials, leveraging stolen SSH keys, exploiting vulnerabilities in SSH implementations, or using credentials obtained through other means such as phishing or credential dumping. Once an attacker successfully authenticates to an SSH service, they typically gain shell access with the privileges of the compromised account, allowing them to execute commands, access files, and potentially pivot to other systems within the network. SSH access is particularly valuable to attackers because it is often allowed through firewalls for legitimate administrative purposes, provides encrypted communications that can hide malicious activity, and may grant persistent access that survives system reboots.
Data Sources
- Authentication Logs: SSH authentication attempts, successful logins, and session management
- Network Traffic: SSH connection establishment, encrypted traffic patterns, and connection metadata
- Process Monitoring: SSH daemon activity and spawned shell processes
- SSH Connection Logs: SSH server logs, client connection details, and session tracking
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1032 | Multi-factor Authentication | Implement multi-factor authentication for SSH access |
| M1018 | User Account Management | Implement proper SSH key management and account access controls |
| M1035 | Limit Access to Resource Over Network | Restrict SSH access to necessary hosts and implement network segmentation |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0015 | Authentication Log | Alert when the same key fingerprint is used from multiple geolocations within an hour or when previously unseen keys log in as privileged users. |
| DS0029 | Network Traffic Flow | Detect bruteāforce patterns (many TCP SYNs, failed auth packets) or new SSH banners on non-standard ports (2222, 9022). |
| DS0009 | Process: Process Creation | On bastion hosts, flag ssh invocations that spawn reverse tunnels (-R) or dynamic port forwards (-D) outside maintenance windows. |