Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
Multiple uncommon SSH Servers with the same Server host key.
Attacker's Goals
Attackers may attempt to move laterally within the network by exploiting and relaying stolen client credentials to another SSH server.
Investigative actions
- Audit the authentication attempts to SSH server using the same key.
- Look for unusual or repeated connections from the same or unexpected hosts.
- Audit Client Credentials, check for any signs of compromised client credentials being used on different SSH servers.