Lateral movement

Lateral movement refers to the techniques attackers use to move around the network once they have gained initial access. The attacker may or may not have fully compromised the host with privilege escalation attacks before lateral movement.

SSH lateral movement is typical for Linux systems and an easy technique for attackers to exploit. Another attack technique is using SSH tunnels to create secure connections between systems and move data between systems without being detected.

It is important to note that there is no single way to detect SSH lateral movement.

SSH Logs

The sshd logs are written to the /var/log/secure file. See more details about the secure log file in the Log Analysis section.

As a first step, grep for sshd logs in the secure log file.

[tlasso@rhel-richmondfc log]$ sudo cat secure* | grep sshd
Jul  2 12:02:12 rhel-richmondfc sshd[950]: Server listening on :: port 22.
Jul  2 14:36:34 rhel-richmondfc sshd[6612]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.26.0.1 user=nate@corp.tuxtriage.net
Jul  2 14:36:34 rhel-richmondfc sshd[6612]: Accepted password for nate@corp.tuxtriage.net from 172.26.0.1 port 56050 ssh2
Jul  2 14:36:35 rhel-richmondfc sshd[6612]: pam_unix(sshd:session): session opened for user nate@corp.tuxtriage.net(uid=357201109) by (uid=0)
Jul  2 23:44:14 rhel-richmondfc sshd[949]: Server listening on 0.0.0.0 port 22.

From the above snippet, we can observe pam_sss(sshd:auth) - Pluggable Authentication Modules (PAM) using the System Security Services Daemon (SSSD) for the sshd service in the authentication phase. The remote host from which the connection is originating is given by the rhost field. Once the connection is accepted, the user details, including the uid of the user is logged to this file.

The above log entries can be used to construct an incoming logon session.

Outgoing ssh sessions are unfortunately not logged by default.

SSH Keys

SSH keys can provide password less authentication to network resources. However they can be exploited if not properly secured. An attacker who has compromized a host can impersonate the owner if the private keys are not protected.

Private keys

While presence of private keys does not establish lateral movement, it can establish the attack surface and investigation perimeter.

Use the grep command to look for key files.

grep -ir "BEGIN RSA PRIVATE KEY" /*
grep -ir "BEGIN DSA PRIVATE KEY" /*

If any keys are found on the system that is being investigated, look for entries in the ~/.known_hosts file along with the ~/.bash_history and ~/.ssh/config files and try to identify the hosts that the attacker may have communicated with.

Authorized keys

SSH authorized keys ~/ssh/authorized_keys stores the the public key and can be used for paswordless authentication from an attacker machine. This essentially acts as a back door entry.

Other tools

SSH is not the only lateral movement tool used by attackers. Protocols such as SNMP, Remote desktop protocols such as X window, VNC, Xrdp etc. can also be used.

https://highon.coffee/blog/ssh-lateral-movement-cheat-sheet/ ²: https://www.akamai.com/blog/security-research/linux-lateral-movement-more-than-ssh ³: https://redcanary.com/blog/lateral-movement-with-secure-shell/

Digital forensics & Intrusion Response Playbook - *nix OS