DET0596 Behavioral Detection of Remote SSH Logins Followed by Post-Login Execution
| Item |
Value |
| ID |
DET0596 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1021.004 (SSH)
Analytics
Linux
AN1638
SSH login from a remote system (via sshd), followed by user context execution of suspicious binaries or privilege escalation behavior.
Log Sources
Mutable Elements
| Field |
Description |
| TimeWindow |
Defines correlation window from login to first post-SSH process (e.g., 60s) |
| SuspiciousProcessList |
List of binaries considered unusual in SSH context (e.g., nc, base64, bash -i) |
| UsernameFilter |
Accounts of interest for SSH logins (e.g., root, admin) |
macOS
AN1639
SSH login detected via Unified Logs, followed by unusual process execution, especially outside normal user behavior patterns.
Log Sources
Mutable Elements
| Field |
Description |
| TimeWindow |
Time range to correlate post-SSH activities (e.g., 45s) |
| UserContext |
Define authorized users to reduce false positives |
| CommandLineKeywords |
Suspicious terms like reverse shells, base64, curl |
ESXi
AN1640
SSH login via hostd or /var/log/auth.log, followed by CLI access to host shell or file manipulation in restricted areas.
Log Sources
Mutable Elements
| Field |
Description |
| AllowedUsers |
Legitimate SSH users to this host |
| TimeWindow |
Correlate SSH login and unauthorized commands or shell access |
| CommandList |
Flag commands like esxcli, rm, chmod post-login |