Keypoints
- SSH provides encrypted remote shells used for legitimate administration and by attackers for lateral movement.
- Authentication can use passwords or public-private keypairs stored in authorized keys files.
- ESXi, Linux, and macOS are common SSH targets; ESXi SSH can be enabled via host commands or vCenter.
- Detection relies on log sources like auth logs, macOS unified logs, and network connection records.
- Watch for anomalous access patterns, unusual post-login activity, and key-based logins from unexpected accounts.
Description:
- Analogy: SSH is like a secure backdoor corridor with a lock β if the adversary has a valid key or stolen passcode they can walk through and act as if they belong inside.
- How it works: Adversaries use valid accounts or stolen SSH keys to authenticate to remote hosts, then run commands or move laterally; this enables persistent, covert remote control and access to additional systems, making containment and attribution harder.
Detection:
- Monitor authentication logs: collect /var/log/auth.log or /var/log/secure on Linux and macOS unified logs (e.g., log show βpredicate βprocess = βsshdββ) to identify unusual SSH logins.
- Capture key usage: alert on additions or changes to authorized_keys files and on SSH public-key authentications from uncommon sources.
- Network correlation: monitor network connection creation for outbound/inbound SSH (tcp/22 or custom ports), and correlate with source IP reputation and geolocation anomalies.
- Session behavior: inspect post-login process creation and command sequences to detect abnormal activity such as privilege escalation, credential harvesting, or lateral execution.
- Account anomaly detection: flag logins by accounts on hosts they donβt normally access, rapid logins to many hosts, or logins at unusual hours for the user.
- Use host-based detection tools: employ EDR/XDR to capture process trees, terminal sessions, and command history; integrate with SIEM to build alerts and hunts.
- Mitigate false positives: baseline normal admin SSH patterns, whitelist known management hosts, and tune alerts for automated tools and jump hosts to reduce noise.
Tactics:
Lateral Movement
Platforms:
ESXi, Linux, macOS
Data Sources:
Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation, Process: Process Creation
Relationship Citations:
(Citation: Cobalt Strike Manual 4.3 November 2020),(Citation: Mandiant Pulse Secure Update May 2021),(Citation: Volexity Ivanti Zero-Day Exploitation January 2024),(Citation: Mandiant_UNC2165),(Citation: Github PowerShell Empire),(Citation: FireEye APT40 March 2019),(Citation: Microsoft Storm-1811 2024),(Citation: Mandiant FIN13 Aug 2022),(Citation: Aqua Kinsing April 2020),(Citation: Cobalt Strike TTPs Dec 2017),(Citation: Anomali Rocke March 2019),(Citation: Symantec Palmerworm Sep 2020),(Citation: Intezer TeamTNT September 2020),(Citation: CISA Leviathan 2024),(Citation: PWC Cloud Hopper April 2017),(Citation: Crowdstrike HuntReport 2022),(Citation: Cisco Talos Intelligence Group),(Citation: Cisco Salt Typhoon FEB 2025),(Citation: FireEye TRITON 2019),(Citation: CISA AA20-259A Iran-Based Actor September 2020),(Citation: CrowdStrike Carbon Spider August 2021),(Citation: FireEye APT39 Jan 2019),(Citation: Securelist GCMAN),(Citation: Unit42 OilRig Playbook 2023),(Citation: Fortinet reGeorg MAR 2019),(Citation: Kaspersky ThreatNeedle Feb 2021),(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)