EXPLORE

← Back to Explore

T1021.004

SSH

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user. SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. On ESXi, SSH can be enabled either directly on the host (e.g., via `vim-cmd hostsvc/enable_ss...

ESXiLinuxmacOS

31

Detections

4

Sources

19

Threat Actors

BY SOURCE

18elastic7splunk_escu5sigma1crowdstrike_cql

PROCEDURES (21)

Authentication Monitoring4 detections

Auto-extracted: 4 detections for authentication monitoring

Service3 detections

Auto-extracted: 3 detections for service

Encrypt2 detections

Auto-extracted: 2 detections for encrypt

C22 detections

Auto-extracted: 2 detections for c2

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Persist2 detections

Auto-extracted: 2 detections for persist

Privilege2 detections

Auto-extracted: 2 detections for privilege

Download1 detections

Auto-extracted: 1 detections for download

Http1 detections

Auto-extracted: 1 detections for http

Remote1 detections

Auto-extracted: 1 detections for remote

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Unusual1 detections

Auto-extracted: 1 detections for unusual

Child Process1 detections

Auto-extracted: 1 detections for child process

Http1 detections

Auto-extracted: 1 detections for http

Bypass1 detections

Auto-extracted: 1 detections for bypass

Credential1 detections

Auto-extracted: 1 detections for credential

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

Powershell1 detections

Auto-extracted: 1 detections for powershell

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

THREAT ACTORS (19)

APT39 APT5 Aquatic Panda BlackTech FIN13 FIN7 Fox Kitten GCMAN Indrik Spider Lazarus Group Leviathan menuPass OilRig Rocke Salt Typhoon Scattered Spider Storm-1811 TeamTNT UNC3886

DETECTIONS (31)

AWS EC2 Instance Connect SSH Public Key Uploaded

Bitbucket Global SSH Settings Changed

Bitbucket User Login Failure Via SSH

Cisco Privileged Account Creation with HTTP Command Execution

Cisco Privileged Account Creation with Suspicious SSH Activity

Cisco Secure Firewall - SSH Connection to Non-Standard Port

Cisco Secure Firewall - SSH Connection to sshd_operns

ESXi SSH Enabled

Linux SSH Remote Services Script Execute

Linux SSH X11 Forwarding

Network Connection Initiated by Suspicious SSHD Child Process

OpenEDR Spawning Command Shell

OpenSSH Server Listening On Socket

Port Forwarding Activity Via SSH.EXE

Potential Execution via SSH Backdoor

Potential Internal Linux SSH Brute Force Detected

Potential Remote Desktop Tunneling Detected

Potential THC Tool Downloaded

Remote File Creation in World Writeable Directory

Remote Port Forwarding via Plink - Unauthorized RDP Tunneling Detection

crowdstrike_cql

Remote SSH Login Enabled via systemsetup Command

Renaming of OpenSSH Binaries

SSH Authorized Key File Activity Detected via Defend for Containers

SSH Authorized Keys File Activity

SSH Key Generated via ssh-keygen

Successful SSH Authentication from Unusual IP Address

Successful SSH Authentication from Unusual SSH Public Key

Successful SSH Authentication from Unusual User

Unusual Remote File Creation

Unusual SSHD Child Process

Windows Protocol Tunneling with Plink