T1021.004 - SSH

Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.

SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.

Atomic Tests:

Currently, no tests are available for this technique.

Detection

Use of SSH may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.

On macOS systems log show –predicate ‘process = “sshd”’ can be used to review incoming SSH connection attempts for suspicious activity. The command log show –info –predicate ‘process = “ssh” or eventMessage contains “ssh”’ can be used to review outgoing SSH connection activity.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)

On Linux systems SSH activity can be found in the logs located in /var/log/auth.log or /var/log/secure depending on the distro you are using.