Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
Multiple uncommon SSH servers were observed using the same host key.
Attacker's Goals
Attackers may attempt to move laterally within the network by exploiting and relaying stolen client credentials to another SSH server.
Investigative actions
- Audit the authentication attempts to the SSH server using the same key.
- Look for unusual or repeated connections from the same or unexpected hosts.
- Audit Client Credentials, check for any signs of compromised client credentials being used on different SSH servers.