SSHazam: Hide Your C2 Inside of SSH
Summary
SSHazam is a technique that allows command and control (C2) traffic to be hidden within standard SSH tunnels. This method aims to evade network detection systems by disguising malicious activity as legitimate SSH connections.
IFF Assessment
FOE
This article describes a technique that can be used by attackers to evade detection, making it bad news for defenders.
Defender Context
Defenders should be aware of techniques like SSHazam that obscure malicious traffic within encrypted channels. Monitoring SSH traffic for unusual patterns, user behavior, and payload characteristics can help detect such evasive C2 communications.