SSH Hijacking linux lateral movement addition proposal

[paragonsec]

Below is my proposal for SSH Hijacking for lateral movement.

enabled: true
meta:
author: paragonsec
created: 2018-03-22
decorations:

• Purple Team
  description: Lateral Movement with SSH Agent Hijacking
  link: https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking
  mitre_link: https://attack.mitre.org/wiki/Technique/T1184
  mitre_attack_phase: Lateral Movement
  mitre_attack_technique: Lateral Movement with SSH Agent Hijacking
  purple_actions:
  1: grep ~/.ssh/config -e ForwardAgent > ssh_config.txt
  2: ps ef |grep -i -e "ssh-agent" > ssh_process.txt
  3: cat /proc/*/environ |tr -s '\0' '\n' | grep SSH_AUTH_SOCK |sort -u 2>/dev/null > ssh_agent.txt
  os: linux
  name: Lateral Movement with SSH Agent Hijacking

---

[carnal0wnage]

@paragonsec if you submit a diff with the actual yaml file i would be able to merge these faster.

-CG

[paragonsec]

@carnal0wnage Created a pull request with the purposed file. Thanks!

[paragonsec]

@carnal0wnage Question outside of this issue. I am putting together data exfil techniques on Linux for this project. However, there are a ton of different methods like using netcat, /dev/tcp, telnet, DNS, ssh, etc... Would it be better to separate them to their own specific yml file according to technique like one for nc, one for dns, etc...?

[carnal0wnage]

If they are the same technique i think you can put them in one file. People can grab a line or two and make their own yaml...that's the vision anyway :-)

[paragonsec]

Sounds good. Will try not to get to carried away with this lol. This is an awesome project!

[carnal0wnage]

thanks! i really appreciate you submitting things. keep em coming :-)

[carnal0wnage]

accepted the diff. thanks again!