T1021.004 SSH Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect suspicious SSH lateral movement on Linux/macOS
let SuspiciousSshPatterns = dynamic([
  "ssh -o StrictHostKeyChecking=no",
  "ssh -i ",
  "ProxyJump",
  "ProxyCommand",
  "StrictHostKeyChecking=no",
  "-D ",  // SOCKS proxy
  "-L ",  // Local port forward
  "-R ",  // Reverse port forward
  "-N ",  // No command (tunnel)
  "authorized_keys"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("ssh", "scp", "sftp", "ssh-agent", "ssh-add")
| where ProcessCommandLine has_any (SuspiciousSshPatterns)
| extend IsTunnel = ProcessCommandLine has_any ("-D ", "-L ", "-R ", "-N ")
| extend IsNoHostCheck = ProcessCommandLine has "StrictHostKeyChecking=no"
| extend IsKeyAuth = ProcessCommandLine has "-i "
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsTunnel, IsNoHostCheck, IsKeyAuth
| union (
    // Detect SSH authorized_keys modification
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where ActionType in ("FileCreated", "FileModified")
    | where FolderPath has ".ssh" and FileName =~ "authorized_keys"
    | project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
             FileName, FolderPath, InitiatingProcessFileName
)
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution File: File Modification Network Traffic: Network Connection Creation

Required Tables

DeviceProcessEvents DeviceFileEvents DeviceNetworkEvents

False Positives

System administrators using SSH tunnels for legitimate remote administration and database connectivity
Automated deployment tools (Ansible, Fabric, Capistrano) using SSH with key-based auth and StrictHostKeyChecking=no in provisioning scripts
CI/CD pipelines (Jenkins, GitLab) using SSH for deployment to multiple servers
Bastion host or jump server configurations that establish SSH connections to internal hosts on behalf of users
Developers using SSH port forwarding for local development against remote services (database tunnels, etc.)

Splunk

spl

index=linux_audit OR index=syslog OR index=osquery (sourcetype="linux_audit" OR sourcetype="syslog" OR sourcetype="osquery:results")
(
  sourcetype="linux_audit" type=EXECVE
  (a0="ssh" OR a0="scp" OR a0="sftp")
| eval CommandLine=mvjoin(mvappend(a0,a1,a2,a3,a4,a5,a6,a7,a8,a9), " ")
| eval IsTunnel=if(match(CommandLine, "\s-[DLRNnN]\s"), 1, 0)
| eval NoHostCheck=if(match(CommandLine, "StrictHostKeyChecking.?no"), 1, 0)
| eval IsKeyAuth=if(match(CommandLine, "\s-i\s"), 1, 0)
| eval RiskScore=IsTunnel + NoHostCheck + IsKeyAuth
| where RiskScore > 0
| table _time, host, auid, CommandLine, IsTunnel, NoHostCheck, IsKeyAuth, RiskScore
)
OR
(
  sourcetype="syslog" ("sshd" OR "OpenSSH")
  ("Accepted" OR "Failed" OR "Invalid")
| rex field=_raw "sshd\[\d+\]: (?P<AuthResult>\w+) (?P<AuthMethod>\w+) for (?P<TargetUser>\S+) from (?P<SourceIP>\S+) port (?P<Port>\d+)"
| eval AuthSuccess=if(AuthResult=="Accepted", 1, 0)
| eval AuthFailed=if(AuthResult=="Failed" OR AuthResult=="Invalid", 1, 0)
| stats sum(AuthSuccess) as Successes, sum(AuthFailed) as Failures, dc(TargetUser) as UniqueUsers by SourceIP, host
| where Failures >= 5 OR (Failures >= 3 AND Successes >= 1)
| eval RiskScore=Failures + (Successes * 5) + (UniqueUsers * 2)
| sort - RiskScore
)

high severity medium confidence

Data Sources

Process: Process Creation Logon Session: Logon Session Creation linux_audit (auditd) syslog (SSH daemon logs)

Required Sourcetypes

linux_audit syslog

False Positives

System administrators using SSH tunnels for legitimate remote administration
Automated deployment tools (Ansible, Fabric) using SSH with key-based auth
CI/CD pipelines using SSH for deployment to multiple servers
Bastion host configurations that establish SSH connections to internal hosts
Developers using SSH port forwarding for local development

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and
   process.name in ("ssh", "scp", "sftp", "ssh-agent", "ssh-add") and
   (
     process.args : "StrictHostKeyChecking=no" or
     process.args : "-i" or
     process.args : "ProxyJump" or
     process.args : "ProxyCommand" or
     process.args : "-D" or
     process.args : "-L" or
     process.args : "-R" or
     process.args : "-N" or
     process.command_line : "*authorized_keys*"
   )
  ] by process.pid
| [any where true] by process.parent.pid

OR

sequence by host.name with maxspan=1h
  [file where event.type in ("creation", "change") and
   file.name == "authorized_keys" and
   file.path : "*/.ssh/*"
  ]
  [process where event.type == "start" and
   process.name in ("ssh", "scp", "sftp")
  ]

high severity high confidence

Data Sources

Elastic Endpoint Security Auditbeat Filebeat (syslog/auditd)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* auditbeat-*

False Positives

Legitimate system administrators using SSH tunnels for authorized remote access or jump hosts defined in corporate runbooks
Automated deployment pipelines (Ansible, Terraform, Chef) that use SSH with custom keys and disable strict host checking for ephemeral infrastructure
Backup or monitoring agents (e.g., rsync over SSH, Nagios NRPE) that modify authorized_keys as part of provisioning workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  destinationip AS DestinationIP,
  username AS Username,
  hostname AS Hostname,
  "COMMAND" AS CommandExecuted,
  CATEGORYNAME(category) AS EventCategory,
  QIDNAME(qid) AS EventName,
  logsourcename(logsourceid) AS LogSource
FROM events
WHERE
  LOGSOURCETYPEID IN (13, 9, 105, 347)
  AND (
    ("COMMAND" ILIKE '%ssh%' OR "COMMAND" ILIKE '%scp%' OR "COMMAND" ILIKE '%sftp%')
    AND (
      "COMMAND" ILIKE '%StrictHostKeyChecking=no%'
      OR "COMMAND" ILIKE '%ProxyJump%'
      OR "COMMAND" ILIKE '%ProxyCommand%'
      OR "COMMAND" ILIKE '% -D %'
      OR "COMMAND" ILIKE '% -L %'
      OR "COMMAND" ILIKE '% -R %'
      OR "COMMAND" ILIKE '% -N %'
      OR "COMMAND" ILIKE '% -i %'
      OR "COMMAND" ILIKE '%authorized_keys%'
    )
  )
  OR (
    QIDNAME(qid) ILIKE '%sshd%'
    AND (
      UTF8(payload) ILIKE '%Failed password%'
      OR UTF8(payload) ILIKE '%Invalid user%'
      OR UTF8(payload) ILIKE '%Accepted publickey%'
    )
  )
ORDER BY devicetime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Linux OS (syslog) Linux Audit Log (auditd) IBM QRadar Network Packet Capture

Required Tables

events

False Positives

Infrastructure automation tools (Ansible, SaltStack) that routinely SSH to managed nodes using deployment keys and suppress host key prompts for dynamic inventory
IT operations teams using SSH ProxyJump configurations defined in corporate SSH config files for bastion host access patterns
CI/CD pipelines in containers that generate ephemeral authorized_keys entries during build or deploy stages

Sumo Logic CSE

sql

(_sourceCategory="linux/audit" OR _sourceCategory="linux/syslog" OR _sourceCategory="osquery")
| where _raw matches /ssh|scp|sftp|ssh-agent|ssh-add/
| parse regex field=_raw "type=EXECVE.*?a0=\"(?P<a0>[^\"]+)\""
| parse regex field=_raw "a1=\"(?P<a1>[^\"]+)\""
| parse regex field=_raw "a2=\"(?P<a2>[^\"]+)\""
| parse regex field=_raw "a3=\"(?P<a3>[^\"]+)\""
| where a0 in ("ssh","scp","sftp","ssh-agent","ssh-add")
| concat(a0, " ", a1, " ", a2, " ", a3) as CommandLine
| where CommandLine matches /StrictHostKeyChecking.?no|-[DLRN] |ProxyJump|ProxyCommand|-i |authorized_keys/
| eval IsTunnel = if(CommandLine matches / -[DLRN] /, 1, 0)
| eval NoHostCheck = if(CommandLine matches /StrictHostKeyChecking.?no/, 1, 0)
| eval IsKeyAuth = if(CommandLine matches / -i /, 1, 0)
| eval IsProxyChain = if(CommandLine matches /ProxyJump|ProxyCommand/, 1, 0)
| eval AuthKeysModify = if(CommandLine matches /authorized_keys/, 1, 0)
| eval RiskScore = IsTunnel + NoHostCheck + IsKeyAuth + IsProxyChain + AuthKeysModify
| where RiskScore > 0
| count by _sourceHost, CommandLine, IsTunnel, NoHostCheck, IsKeyAuth, IsProxyChain, AuthKeysModify, RiskScore
| sort by RiskScore desc

// Companion: SSH auth failure brute-force from syslog
// Run separately:
// _sourceCategory="linux/syslog" sshd (Failed OR Invalid OR Accepted)
// | parse "from * port" as SourceIP
// | parse "for * from" as TargetUser
// | parse "* password" as AuthResult
// | timeslice 10m
// | count by SourceIP, AuthResult, _timeslice
// | where _count > 5

high severity medium confidence

Data Sources

Linux Audit Log (auditd via Sumo Logic Collector) Linux Syslog osquery scheduled query results

Required Tables

_sourceCategory=linux/audit _sourceCategory=linux/syslog _sourceCategory=osquery

False Positives

DevOps engineers with SSH config profiles using ProxyJump for tiered bastion access to production environments, which will match ProxyJump and StrictHostKeyChecking patterns
Automated certificate rotation jobs that write new public keys to authorized_keys files on multiple hosts as part of scheduled key rotation
Security scanning tools (e.g., ssh-audit, OpenSCAP) that probe SSH configurations and may invoke SSH with unusual flags during compliance assessments

Google Chronicle / SecOps

yaral

rule ssh_lateral_movement_suspicious {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious SSH lateral movement including tunneling, disabled host key checking, explicit identity key usage, ProxyJump chaining, and authorized_keys modification on Linux and macOS endpoints."
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1021.004"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        $e.principal.process.file.full_path = /\/(ssh|scp|sftp|ssh-agent|ssh-add)$/
        or $e.target.process.file.full_path = /\/(ssh|scp|sftp|ssh-agent|ssh-add)$/
      )
      and (
        $e.target.process.command_line = /StrictHostKeyChecking.?no/
        or $e.target.process.command_line = / -i /
        or $e.target.process.command_line = /ProxyJump/
        or $e.target.process.command_line = /ProxyCommand/
        or $e.target.process.command_line = / -[DLRN] /
        or $e.target.process.command_line = /authorized_keys/
      )
    )
    or
    (
      $e.metadata.event_type = "FILE_MODIFICATION"
      and $e.target.file.full_path = /\.ssh\/authorized_keys/
    )

  match:
    $e.principal.hostname over 5m

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM (Unified Data Model) Google Chronicle Endpoint Telemetry Linux OS parser (auditd/syslog ingested via Chronicle forwarder)

Required Tables

UDM events (PROCESS_LAUNCH, FILE_MODIFICATION)

False Positives

System administration scripts using SSH with custom keys and permissive host checking for automated patching or configuration management across large server fleets
Container orchestration platforms (Kubernetes operators, Helm hooks) that establish SSH tunnels or manage authorized_keys for node bootstrapping
Penetration testing teams conducting authorized internal red team exercises that simulate SSH lateral movement as part of scoped engagements

CrowdStrike LogScale (CQL)

cql

// Suspicious SSH process execution with lateral movement indicators
#event_simpleName=ProcessRollup2
| ImageFileName = /\/(ssh|scp|sftp|ssh-agent|ssh-add)$/
| CommandLine = /(StrictHostKeyChecking.?no| -i |ProxyJump|ProxyCommand| -[DLRN] |authorized_keys)/
| IsTunnel := if(CommandLine = / -[DLRN] /, "true", "false")
| NoHostCheck := if(CommandLine = /StrictHostKeyChecking.?no/, "true", "false")
| IsKeyAuth := if(CommandLine = / -i /, "true", "false")
| IsProxyChain := if(CommandLine = /ProxyJump|ProxyCommand/, "true", "false")
| IsAuthKeysModify := if(CommandLine = /authorized_keys/, "true", "false")
| RiskScore := sum([if(IsTunnel = "true", 2, 0), if(NoHostCheck = "true", 2, 0), if(IsKeyAuth = "true", 1, 0), if(IsProxyChain = "true", 2, 0), if(IsAuthKeysModify = "true", 3, 0)])
| where RiskScore > 0
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, IsTunnel, NoHostCheck, IsKeyAuth, IsProxyChain, IsAuthKeysModify, RiskScore], function=count(as=EventCount))
| sort(RiskScore, order=desc)

// Companion: SSH-related file creation/modification for authorized_keys
// Run separately:
// #event_simpleName=PeFileWritten OR #event_simpleName=NewScriptWritten
// | TargetFileName = /\.ssh\/authorized_keys/
// | groupBy([ComputerName, UserName, TargetFileName, CommandHistory], function=count(as=WriteCount))
// | sort(WriteCount, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2) CrowdStrike Falcon FileVantage or file write telemetry

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=PeFileWritten #event_simpleName=NewScriptWritten

False Positives

Site reliability engineers using ssh-agent forwarding and ProxyJump via corporate bastion hosts for multi-tier infrastructure access, common in cloud-native environments
Automated secrets rotation workflows that programmatically update authorized_keys files across fleets as part of scheduled cryptographic hygiene operations
Development environments where engineers clone repositories or sync files over SSH using custom identity files and relaxed host checking against ephemeral cloud instances

SSH

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Lateral Movement

Popular Detections