8 hours 28 minutes
hello and welcome to another application of the minor attack framework discussion Today. We're going to look at ssh hijacking within the lateral movement phase in the matter minor attack framework. So let's go ahead and look at our objectives.
So today's objectives are as follows we're going to describe for us. Shh! Hijacking. What are some mitigation techniques? What are some detection techniques and why this differs from remote application
ssh hijacking is when a threat actor uses a trusted relationship between systems to establish a connection.
Two other systems. By taking advantage of public key authentication and active ssh sessions, the Threat actor will hijack the session, which becomes trivial if the Threat actor has root privilege. Ssh! And jacking is different from the use of remote services or remote service exploitation. Because in injects
into an existing ssh session, rather than creating a new valid session or using that station through a ballot account,
so in this case again differs because we're taking an existing session and we're hijacking that session now. An example of a tool that takes advantage of this is E berry, which is an ssh root kit.
It is ah, backdoor size Trojan in this case for Liming style systems. Typically, it is installed by Attackers with root level access to the system, either through replacing binaries or by making changes
to an Ssh library. Some anti virus products can detect this tool, but there may be some limitations that payment on the vendors
and the variant that is in place now. This is just one of many different ways that Ssh can be used to the benefit of a threat actor to move laterally through systems I know through a number of courses as well as engagements that I have been on.
It is always great to find an open ssh session or some type of port that is open and communicating over ssh that was not properly configured. And then you can elevate yourself into administrative or root privilege. That is always a nice feeling.
Now, mitigation techniques are as follows. If ssh is not needed, of course, we remove the ability of systems to use it. We do not allow remote access via ssh as root or other elevated account types.
So with systems or distributions like Callie Lennix, we have to go through very specific steps to allow root privilege to even run over ssh! And to use that account over ssh! And so if you do so, you are knowingly opening yourself up
two issues if that account is compromised, and then properly hardening systems to prevent root privilege escalation again, three things like patching least privilege on applications least privilege on user accounts all
is to the benefit of the organization to mitigate the ability of a threat actor to move aggressively through systems
detection techniques, we can monitor the use of ssh activity, ensure that it is not being used in a manner that is contrary to the organization's policies. Again, if you have no use for ssh internally or if you should not have users internally, that air using that particular method to connect the systems,
incident or event related to the use of such tools should be considered flag and should be reviewed for malicious activity.
Now let's do a quick check on learning true or false Ssh! Hijacking is when a threat actor takes over an active ssh session.
All right, well, if you need some additional time, please pause the video and take it. So this is a true statement. Ssh hijacking is when a threat actor takes over an active ssh session. And so this is a true statement. So in summary of today's discussion, we describe Ssh hijacking.
We described mitigation techniques. We looked at detection techniques. We squeeze the tool in between these two areas,
and we looked at just one example of what is out there to take advantage of ssh sessions. Once a threat actor is on a system. So with that in mind, I want to thank you for your time today, and I look forward to seeing you again suit.