Detect SSH in CrowdStrike LogScale
Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). SSH allows authorized users to open remote shells on Linux, macOS, and ESXi systems. Adversaries leverage existing SSH keys or stolen passwords to pivot between systems. Notable actors using SSH for lateral movement include FIN7, Lazarus Group, Leviathan, Scattered Spider, BlackTech, and APT groups targeting cloud and ESXi environments. SSH lateral movement may also involve agent forwarding abuse, key theft, adding attacker-controlled public keys to authorized_keys files, or chaining through multiple hosts to obscure the original source.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1021 Remote Services
- Sub-technique
- T1021.004 SSH
- Canonical reference
- https://attack.mitre.org/techniques/T1021/004/
LogScale Detection Query
// Suspicious SSH process execution with lateral movement indicators
#event_simpleName=ProcessRollup2
| ImageFileName = /\/(ssh|scp|sftp|ssh-agent|ssh-add)$/
| CommandLine = /(StrictHostKeyChecking.?no| -i |ProxyJump|ProxyCommand| -[DLRN] |authorized_keys)/
| IsTunnel := if(CommandLine = / -[DLRN] /, "true", "false")
| NoHostCheck := if(CommandLine = /StrictHostKeyChecking.?no/, "true", "false")
| IsKeyAuth := if(CommandLine = / -i /, "true", "false")
| IsProxyChain := if(CommandLine = /ProxyJump|ProxyCommand/, "true", "false")
| IsAuthKeysModify := if(CommandLine = /authorized_keys/, "true", "false")
| RiskScore := sum([if(IsTunnel = "true", 2, 0), if(NoHostCheck = "true", 2, 0), if(IsKeyAuth = "true", 1, 0), if(IsProxyChain = "true", 2, 0), if(IsAuthKeysModify = "true", 3, 0)])
| where RiskScore > 0
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, IsTunnel, NoHostCheck, IsKeyAuth, IsProxyChain, IsAuthKeysModify, RiskScore], function=count(as=EventCount))
| sort(RiskScore, order=desc)
// Companion: SSH-related file creation/modification for authorized_keys
// Run separately:
// #event_simpleName=PeFileWritten OR #event_simpleName=NewScriptWritten
// | TargetFileName = /\.ssh\/authorized_keys/
// | groupBy([ComputerName, UserName, TargetFileName, CommandHistory], function=count(as=WriteCount))
// | sort(WriteCount, order=desc)CrowdStrike LogScale CQL query detecting suspicious SSH lateral movement by matching ProcessRollup2 events for SSH-family binaries with high-risk command line patterns. Computes a composite risk score from tunnel flags, proxy chaining, disabled host key checking, explicit key files, and authorized_keys references. Companion query identifies authorized_keys file write events.
Data Sources
Required Tables
False Positives & Tuning
- Site reliability engineers using ssh-agent forwarding and ProxyJump via corporate bastion hosts for multi-tier infrastructure access, common in cloud-native environments
- Automated secrets rotation workflows that programmatically update authorized_keys files across fleets as part of scheduled cryptographic hygiene operations
- Development environments where engineers clone repositories or sync files over SSH using custom identity files and relaxed host checking against ephemeral cloud instances
Other platforms for T1021.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SSH Lateral Movement to Remote Host
Expected signal: Linux auditd EXECVE record for ssh binary with arguments. Syslog entry from sshd on target: 'Accepted password for testuser from <source_ip>'. Linux auditd USER_LOGIN event. Process creation for ssh child process.
- Test 2SSH SOCKS Proxy Tunnel Creation
Expected signal: Linux auditd EXECVE for ssh with -D 1080 -N -f flags. Process runs in background (due to -f flag). Network connection established on source port 1080 (SOCKS listener). Syslog entry on target for SSH connection.
- Test 3Add Attacker SSH Public Key to authorized_keys
Expected signal: Linux auditd OPEN event for ~/.ssh/authorized_keys with write flag. File modification timestamp change. Sysmon for Linux (if deployed): FileCreate/FileModify event for authorized_keys path.
- Test 4SSH Key-Based Lateral Movement with Stolen Key
Expected signal: Linux auditd EXECVE for ssh with -i /tmp/stolen_id_rsa. OPEN event for /tmp/stolen_id_rsa (private key access). Network connection to target port 22. Syslog on target: 'Accepted publickey for root'.
References (8)
- https://attack.mitre.org/techniques/T1021/004/
- https://man7.org/linux/man-pages/man1/ssh.1.html
- https://linux.die.net/man/8/sshd
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.004/T1021.004.md
- https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping
- https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting/
- https://www.kaspersky.com/blog/lazarus-threatneedle/
- https://www.cisa.gov/uscert/ncas/alerts/aa22-108a
Unlock Pro Content
Get the full detection package for T1021.004 including response playbook, investigation guide, and atomic red team tests.