EXPLORE
Sign In
← Back to Explore
T1563.001

SSH Hijacking

Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair. In order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via pu...

LinuxmacOS
8
Detections
1
Sources
0
Threat Actors

BY SOURCE

8elastic

PROCEDURES (7)

Persist2 detections

Auto-extracted: 2 detections for persist

Service1 detections

Auto-extracted: 1 detections for service

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Credential1 detections

Auto-extracted: 1 detections for credential

Service1 detections

Auto-extracted: 1 detections for service

Child Process1 detections

Auto-extracted: 1 detections for child process

Credential1 detections

Auto-extracted: 1 detections for credential

DETECTIONS (8)

Network Connection Initiated by Suspicious SSHD Child Process
elasticmedium
Potential Execution via SSH Backdoor
elasticmedium
Potential THC Tool Downloaded
elastichigh
Renaming of OpenSSH Binaries
elasticlow
SSH Authorized Key File Activity Detected via Defend for Containers
elasticmedium
SSH Authorized Keys File Activity
elasticmedium
SSH Key Generated via ssh-keygen
elasticlow
Unusual SSHD Child Process
elasticlow