DET0256 Detection Strategy for SSH Session Hijacking

Item	Value
ID	DET0256
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1563.001 (SSH Hijacking)

Analytics

Linux

AN0710

Suspicious reuse of SSH agent sockets across multiple users or processes, anomalous access to ~/.ssh/ or /tmp/ssh-* sockets, and abnormal patterns of lateral movement via SSH without new authentication events. Defender view: detect when one process accesses another user’s SSH agent or when an existing SSH connection is used to pivot unexpectedly.

Log Sources

Data Component	Name	Channel
Network Connection Creation (DC0082)	auditd:SYSCALL	open or connect syscalls on /tmp/ssh-* or $SSH_AUTH_SOCK
Process Creation (DC0032)	auditd:EXECVE	Execution of ssh/scp/sftp without corresponding authentication log
Logon Session Creation (DC0067)	NSM:Connections	Missing new login event but session activity continues

Mutable Elements

Field	Description
UserContext	Tune alerts for cross-user access to SSH agent sockets.
TimeWindow	Correlate lack of authentication with lateral SSH activity within a short timeframe.

macOS

AN0711

Unusual access to SSH agent sockets in /tmp/ or /private/tmp, process access to another user’s $SSH_AUTH_SOCK, and lateral SSH activity without corresponding login events. Defender view: correlation of socket access with anomalous network flows to internal systems.

Log Sources

Data Component	Name	Channel
Process Metadata (DC0034)	macos:unifiedlog	Process opening SSH_AUTH_SOCK or /tmp/ssh-* socket not owned by same UID
Process Creation (DC0032)	macos:unifiedlog	Execution of ssh or sftp without corresponding login event
Logon Session Creation (DC0067)	macos:unifiedlog	Session reuse without new auth event

Mutable Elements

Field	Description
SocketPathScope	Limit detection to monitored SSH agent socket directories.
BaselineUsers	Establish normal SSH agent ownership and expected usage for tuning.