SSH Honeypots Miss Most Post-Login Attacks by Focusing on Interactive Shells
SSH honeypots, widely used in cyber defense, may miss most real-world post-login attacker activity, according to new research that challenges long-standing assumptions in deception technology.
A recent study titled “Ghost Without Shell: Measuring Non-Interactive SSH Attacks on Honeypots” by researchers from the Czech Technical University reveals that most attackers do not interact with SSH systems through traditional shell sessions.
Instead, they rely on automated, non-interactive commands that execute instantly and disconnect, leaving many honeypots blind to critical attack behavior.
The researchers deployed eleven high-interaction SSH honeypots across cloud infrastructure for 15 days, capturing 177,622 authenticated sessions. Their findings were striking: 99.23% of sessions were non-interactive, while only 0.10% involved interactive shell access. File transfer attempts accounted for just 0.67%.
These results were independently validated using a large dataset from the CZ.NIC Cowrie honeypot network, confirming the same pattern at scale.
SSH Honeypots Miss Post-Login Attacks
This discovery contradicts a core assumption in SSH honeypot design that attackers log in and manually execute commands within an interactive shell.
Many modern honeypots, including those powered by large language models, are built specifically to simulate realistic shell environments and measure success based on how long attackers stay connected or how many commands they issue.
However, the study shows that such metrics are increasingly irrelevant. In most cases, attackers authenticate, run a single command using SSH’s exec mode, and disconnect in under a second.
These commands are typically automated and designed for reconnaissance or verification rather than prolonged interaction. Common commands observed include system profiling queries such as uname, whoami, uptime, and nproc, which attackers can use to assess the target environment quickly.
The researchers identified over 9,000 unique command strings. However, a small subset accounted for a large share of activity, indicating coordinated automated campaigns.
More notably, the study highlights verification probe commands designed to determine whether a target is a real system or a honeypot.
For example, attackers used base64 decoding or arithmetic operations like echo $((7*6)) to check if the system returns accurate results. These tests are particularly effective against LLM-based honeypots, which may generate plausible but incorrect outputs.
In total, the researchers identified over 2,000 such verification attempts. Some probes also checked for known honeypot artifacts, such as specific processes or writable system files, though these were less common.
The implications for cybersecurity research and defense are significant. Honeypots that focus solely on interactive shell sessions may capture only a fraction of actual attacker behavior, leading to skewed insights and ineffective detection strategies.
Similarly, evaluating honeypot performance based on engagement duration or interaction depth may no longer reflect real-world threats.
According to the Czech Technical University, SSH honeypots should support non-interactive command execution and deliver accurate command responses.
Success should be measured by whether the system behaves like a real host under automated probing, rather than how convincingly it simulates human-like interaction.
The findings also indicate a broader shift in attacker behavior toward automation and large-scale scanning. Rather than manually exploring compromised systems, attackers increasingly rely on scripts that perform rapid checks across thousands of targets.
This evolution underscores the need for updated deception strategies that align with current attack patterns. Without adapting to non-interactive techniques, many honeypots risk becoming obsolete, capturing only a narrow and outdated view of the threat landscape.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post SSH Honeypots Miss Most Post-Login Attacks by Focusing on Interactive Shells appeared first on Cyber Security News.
Abinaya
Go to cyber-security-news