Overview
The SSH Key Breadcrumb generates an SSH key pair that points to a Canary running SSH.
Attackers commonly search compromised systems for SSH keys that may provide access to additional hosts. Placing believable SSH keys on systems an attacker is likely to explore can help steer lateral movement toward your Canaries.
Placement Ideas
Good locations for SSH Key Breadcrumbs include:
- Linux administrator workstations: Place keys in ~/.ssh/ alongside existing SSH keys and SSH configuration files.
- Jump boxes or bastion hosts: Place keys in shared operational accounts or administrator home directories used to access internal infrastructure.
- CI/CD / automation systems: Place keys on build servers, deployment hosts, or automation systems where scripted SSH access would be expected.
Follow the steps below to create an SSH Key Breadcrumb:
Step 1: Log in to your Console
Step 2: Confirm SSH is enabled on the Canary
Click the Canary you want to deploy the SSH Key Breadcrumb for and confirm the SSH service is enabled.
Step 3: Open the Breadcrumbs tile on your Flock
Once you have confirmed that SSH is enabled, open the Breadcrumbs tile to create and download the SSH Key Breadcrumb.
Step 4: Select the Breadcrumb
Select SSH Key from the list of available Breadcrumbs.
If the Breadcrumb you want to create is greyed out, none of the Canaries in the selected Flock have the required service enabled. Enable the required service on a Canary and try again.
Step 5: Select the Canary
Select the Canary from the drop-down list. In this example, we have selected the JHB-Router Canary.
If a Canary is not available in the drop-down list, it does not have the service required for this Breadcrumb enabled. Enable the required service on the Canary and try again.
Step 6: Set the SSH Key Reminder
Enter a Reminder for the SSH Key Breadcrumb and select Create. In this example, we have used: bastion-west | ~/.ssh/config
Make sure the reminder is descriptive and helps identify where the SSH Key Breadcrumb was deployed.
For example, a reminder such as "test SSH key" may not provide enough context when reviewing an alert in the future.
We recommend using the following format:
Hostname | Location
Step 7: Download the Breadcrumb
Select Download Breadcrumb (option 5) to download the Breadcrumb ZIP file.
The download section contains the following sections:
- The SSH connection details for the selected Canary (IP address and port).
- The SSH configuration entry generated for this Breadcrumb.
- The private SSH key generated for this Breadcrumb.
- The public SSH key generated for this Breadcrumb.
- Download Breadcrumb - Downloads a ZIP file containing all files required to deploy the Breadcrumb.
Step 8: Deploy the Breadcrumb on the target host
Extract the downloaded ZIP file and deploy the SSH Key Breadcrumb on the target host.
In this example, we have placed the generated SSH key in ~/.ssh/ and added the SSH configuration entry to ~/.ssh/config on the bastion-west host.
Alerts
Two alerts will be generated when the SSH Key Breadcrumb is used:
Alert 1: SSH Key Breadcrumb Used
This alert includes the reminder configured when the Breadcrumb was created,
helping you quickly identify where the SSH Key Breadcrumb was deployed.
Alert 2: SSH Login Attempt
This is the standard SSH Login Attempt alert generated by the Canary.
The alert contains the SSH connection details associated with the login
attempt, including the username and credentials used, source IP address,
SSH
client version,
and additional alert information.
The Alerts view will display both alerts generated when the SSH Key Breadcrumb is used.
Alert 1: SSH Key Breadcrumb
This alert displays the reminder configured when the Breadcrumb was created. In this example, the reminder is:
bastion-west | ~/.ssh/config
This helps identify the host and location where the SSH Key Breadcrumb was deployed.
Alert 2: SSH Login Attempt
This is the standard SSH Login Attempt alert generated by the Canary. It contains additional details about the connection attempt, including the username and credentials used, source IP address, SSH client version, and other SSH connection information.
You’ve made it!