MITRE ATT&CK Technique
Lateral Movement T1184
Description

Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair. In order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent's socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial. (Citation: Slideshare Abusing SSH) (Citation: SSHjack Blackhat) (Citation: Clockwork SSH Agent Hijacking) Compromising the SSH agent also provides access to intercept SSH credentials. (Citation: Welivesecurity Ebury SSH) [SSH Hijacking](https://attack.mitre.org/techniques/T1184) differs from use of [Remote Services](https://attack.mitre.org/techniques/T1021) because it injects into an existing SSH session rather than creating a new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078).

Supported Platforms
Linux macOS
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2018-01-16T16:13:52.465Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Secure Shell (SSH) is a standard means of remote access on '
                'Linux and macOS systems. It allows a user to connect to '
                'another system via an encrypted tunnel, commonly '
                'authenticating through a password, certificate or the use of '
                'an asymmetric encryption key pair.\n'
                '\n'
                'In order to move laterally from a compromised host, '
                'adversaries may take advantage of trust relationships '
                'established with other systems via public key authentication '
                'in active SSH sessions by hijacking an existing connection to '
                'another system. This may occur through compromising the SSH '
                "agent itself or by having access to the agent's socket. If an "
                'adversary is able to obtain root access, then hijacking SSH '
                'sessions is likely trivial. (Citation: Slideshare Abusing '
                'SSH) (Citation: SSHjack Blackhat) (Citation: Clockwork SSH '
                'Agent Hijacking) Compromising the SSH agent also provides '
                'access to intercept SSH credentials. (Citation: '
                'Welivesecurity Ebury SSH)\n'
                '\n'
                '[SSH Hijacking](https://attack.mitre.org/techniques/T1184) '
                'differs from use of [Remote '
                'Services](https://attack.mitre.org/techniques/T1021) because '
                'it injects into an existing SSH session rather than creating '
                'a new session using [Valid '
                'Accounts](https://attack.mitre.org/techniques/T1078).',
 'external_references': [{'external_id': 'T1184',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1184'},
                         {'description': 'Duarte, H., Morrison, B. (2012). '
                                         '(Mis)trusting and (ab)using ssh. '
                                         'Retrieved January 8, 2018.',
                          'source_name': 'Slideshare Abusing SSH',
                          'url': 'https://www.slideshare.net/morisson/mistrusting-and-abusing-ssh-13526219'},
                         {'description': 'Adam Boileau. (2005, August 5). '
                                         'Trust Transience:  Post Intrusion '
                                         'SSH Hijacking. Retrieved December '
                                         '19, 2017.',
                          'source_name': 'SSHjack Blackhat',
                          'url': 'https://www.blackhat.com/presentations/bh-usa-05/bh-us-05-boileau.pdf'},
                         {'description': 'Beuchler, B. (2012, September 28). '
                                         'SSH Agent Hijacking. Retrieved '
                                         'December 20, 2017.',
                          'source_name': 'Clockwork SSH Agent Hijacking',
                          'url': 'https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking'},
                         {'description': 'M.Léveillé, M. (2014, February 21). '
                                         'An In-depth Analysis of Linux/Ebury. '
                                         'Retrieved January 8, 2018.',
                          'source_name': 'Welivesecurity Ebury SSH',
                          'url': 'https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/'}],
 'id': 'attack-pattern--c1b11bf7-c68e-4fbf-a95b-28efbe7953bb',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'lateral-movement'}],
 'modified': '2025-10-24T17:49:19.946Z',
 'name': 'SSH Hijacking',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Anastasios Pingios'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS'],
 'x_mitre_version': '1.1'}
Quick Actions
Edit TTP Update from Web
Back to TTPs
Dashboard About