T1021.004 Sumo Logic CSE · Sumo

Detect SSH in Sumo Logic CSE

Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). SSH allows authorized users to open remote shells on Linux, macOS, and ESXi systems. Adversaries leverage existing SSH keys or stolen passwords to pivot between systems. Notable actors using SSH for lateral movement include FIN7, Lazarus Group, Leviathan, Scattered Spider, BlackTech, and APT groups targeting cloud and ESXi environments. SSH lateral movement may also involve agent forwarding abuse, key theft, adding attacker-controlled public keys to authorized_keys files, or chaining through multiple hosts to obscure the original source.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1021 Remote Services
Sub-technique
T1021.004 SSH
Canonical reference
https://attack.mitre.org/techniques/T1021/004/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="linux/audit" OR _sourceCategory="linux/syslog" OR _sourceCategory="osquery")
| where _raw matches /ssh|scp|sftp|ssh-agent|ssh-add/
| parse regex field=_raw "type=EXECVE.*?a0=\"(?P<a0>[^\"]+)\""
| parse regex field=_raw "a1=\"(?P<a1>[^\"]+)\""
| parse regex field=_raw "a2=\"(?P<a2>[^\"]+)\""
| parse regex field=_raw "a3=\"(?P<a3>[^\"]+)\""
| where a0 in ("ssh","scp","sftp","ssh-agent","ssh-add")
| concat(a0, " ", a1, " ", a2, " ", a3) as CommandLine
| where CommandLine matches /StrictHostKeyChecking.?no|-[DLRN] |ProxyJump|ProxyCommand|-i |authorized_keys/
| eval IsTunnel = if(CommandLine matches / -[DLRN] /, 1, 0)
| eval NoHostCheck = if(CommandLine matches /StrictHostKeyChecking.?no/, 1, 0)
| eval IsKeyAuth = if(CommandLine matches / -i /, 1, 0)
| eval IsProxyChain = if(CommandLine matches /ProxyJump|ProxyCommand/, 1, 0)
| eval AuthKeysModify = if(CommandLine matches /authorized_keys/, 1, 0)
| eval RiskScore = IsTunnel + NoHostCheck + IsKeyAuth + IsProxyChain + AuthKeysModify
| where RiskScore > 0
| count by _sourceHost, CommandLine, IsTunnel, NoHostCheck, IsKeyAuth, IsProxyChain, AuthKeysModify, RiskScore
| sort by RiskScore desc

// Companion: SSH auth failure brute-force from syslog
// Run separately:
// _sourceCategory="linux/syslog" sshd (Failed OR Invalid OR Accepted)
// | parse "from * port" as SourceIP
// | parse "for * from" as TargetUser
// | parse "* password" as AuthResult
// | timeslice 10m
// | count by SourceIP, AuthResult, _timeslice
// | where _count > 5
high severity medium confidence

Detects suspicious SSH execution patterns on Linux by parsing auditd EXECVE records and syslog events. Builds a composite risk score from tunnel flags, disabled host key checking, explicit key usage, proxy jump chaining, and authorized_keys manipulation. Companion query surfaces SSH brute-force patterns from sshd syslog.

Data Sources

Linux Audit Log (auditd via Sumo Logic Collector)Linux Syslogosquery scheduled query results

Required Tables

_sourceCategory=linux/audit_sourceCategory=linux/syslog_sourceCategory=osquery

False Positives & Tuning

  • DevOps engineers with SSH config profiles using ProxyJump for tiered bastion access to production environments, which will match ProxyJump and StrictHostKeyChecking patterns
  • Automated certificate rotation jobs that write new public keys to authorized_keys files on multiple hosts as part of scheduled key rotation
  • Security scanning tools (e.g., ssh-audit, OpenSCAP) that probe SSH configurations and may invoke SSH with unusual flags during compliance assessments
Download portable Sigma rule (.yml)

Other platforms for T1021.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SSH Lateral Movement to Remote Host

    Expected signal: Linux auditd EXECVE record for ssh binary with arguments. Syslog entry from sshd on target: 'Accepted password for testuser from <source_ip>'. Linux auditd USER_LOGIN event. Process creation for ssh child process.

  2. Test 2SSH SOCKS Proxy Tunnel Creation

    Expected signal: Linux auditd EXECVE for ssh with -D 1080 -N -f flags. Process runs in background (due to -f flag). Network connection established on source port 1080 (SOCKS listener). Syslog entry on target for SSH connection.

  3. Test 3Add Attacker SSH Public Key to authorized_keys

    Expected signal: Linux auditd OPEN event for ~/.ssh/authorized_keys with write flag. File modification timestamp change. Sysmon for Linux (if deployed): FileCreate/FileModify event for authorized_keys path.

  4. Test 4SSH Key-Based Lateral Movement with Stolen Key

    Expected signal: Linux auditd EXECVE for ssh with -i /tmp/stolen_id_rsa. OPEN event for /tmp/stolen_id_rsa (private key access). Network connection to target port 22. Syslog on target: 'Accepted publickey for root'.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1021.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1021Remote Services

Related Sub-techniques

T1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1021.003Distributed Component Object ModelT1021.005VNCT1021.006Windows Remote ManagementT1021.007Cloud ServicesT1021.008Direct Cloud VM Connections

Related Techniques

T1021Remote ServicesT1098.004SSH Authorized KeysT1563.001SSH HijackingT1078Valid AccountsT1552.004Private KeysT1090.003Multi-hop ProxyT1572Protocol TunnelingT1105Ingress Tool Transfer

Same Tactic: Lateral Movement

Popular Detections