T1563.001 SSH Hijacking Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SSHHijackProcessEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // SSH agent socket direct path reference in command line
    ProcessCommandLine has "/tmp/ssh-"
    // Listing loaded SSH keys from an agent (reconnaissance for hijacking)
    or (FileName =~ "ssh-add" and ProcessCommandLine has "-l")
    // Searching /tmp for SSH agent socket files
    or (FileName =~ "find" and ProcessCommandLine has "/tmp" and ProcessCommandLine has_any ("agent", "ssh-"))
    // Debugger attachment to SSH processes (ptrace-based session injection)
    or (FileName in~ ("gdb", "strace", "ltrace") and ProcessCommandLine has_any ("sshd", "ssh-agent"))
    // SSH_AUTH_SOCK environment override (hijacking agent socket)
    or (FileName =~ "ssh" and ProcessCommandLine has "SSH_AUTH_SOCK=")
)
| extend IsSocketEnum = ProcessCommandLine has_any ("/tmp/ssh-", "agent.")
| extend IsAgentKeyList = (FileName =~ "ssh-add" and ProcessCommandLine has "-l")
| extend IsDebuggerAttach = (FileName in~ ("gdb", "strace", "ltrace") and ProcessCommandLine has_any ("sshd", "ssh-agent"))
| extend IsSocketSearch = (FileName =~ "find" and ProcessCommandLine has "/tmp" and ProcessCommandLine has_any ("agent", "ssh-"))
| extend IsAuthSockOverride = (ProcessCommandLine has "SSH_AUTH_SOCK=");
let SSHHijackFileEvents = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath startswith "/tmp/ssh-"
| where ActionType in ("FileAccessed", "FileRead", "FileCreated")
// Exclude legitimate SSH daemon and agent processes
| where InitiatingProcessFileName !in~ ("sshd", "ssh-agent")
| extend IsSocketEnum = true
| extend IsAgentKeyList = false
| extend IsDebuggerAttach = false
| extend IsSocketSearch = false
| extend IsAuthSockOverride = false;
SSHHijackProcessEvents
| extend EventType = "ProcessEvent"
| extend ProcessCmdLine = ProcessCommandLine
| union (
    SSHHijackFileEvents
    | extend EventType = "FileAccessEvent"
    | extend ProcessCmdLine = InitiatingProcessCommandLine
    | extend FileName = InitiatingProcessFileName
    | extend AccountName = AccountName
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCmdLine,
         EventType, IsSocketEnum, IsAgentKeyList, IsDebuggerAttach, IsSocketSearch, IsAuthSockOverride
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation File: File Access Command: Command Execution Microsoft Defender for Endpoint (Linux/macOS sensor)

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Legitimate SSH key management — users listing their own loaded keys with ssh-add -l during normal workflow, particularly on developer workstations and jump boxes
System administrators using gdb or strace for authorized debugging of SSH daemon issues on development or staging servers
Automated configuration management agents (Ansible, Chef, Puppet) that enumerate SSH-related processes or socket paths during host inventory collection
SSH multiplexing via ControlMaster that creates and accesses socket files in /tmp in ways structurally similar to hijacking sockets
Security scanning and endpoint agent tools that read /proc/<pid>/environ or enumerate /tmp to collect environment variables for compliance auditing

Splunk

spl

index=linux_logs (sourcetype="linux_audit" OR sourcetype="syslog")
(
  (type="EXECVE" (proctitle="*ssh-add*-l*" OR proctitle="*-l*ssh-add*"))
  OR (type="EXECVE" proctitle="*/tmp/ssh-*")
  OR (type="EXECVE" (proctitle="*gdb*sshd*" OR proctitle="*strace*sshd*" OR proctitle="*ltrace*sshd*"))
  OR (type="SYSCALL" syscall="ptrace" (comm="gdb" OR comm="strace" OR comm="ltrace"))
  OR (type="PATH" (name="/tmp/ssh-*" OR name="*/agent.*"))
  OR (type="EXECVE" (proctitle="*find*/tmp*agent*" OR proctitle="*find*ssh-*"))
  OR (type="EXECVE" proctitle="*SSH_AUTH_SOCK*")
)
| eval indicator=case(
    proctitle LIKE "%ssh-add%-l%" OR proctitle LIKE "%-l%ssh-add%", "agent_key_enumeration",
    proctitle LIKE "%/tmp/ssh-%", "socket_path_direct_access",
    (proctitle LIKE "%gdb%sshd%" OR proctitle LIKE "%strace%sshd%" OR proctitle LIKE "%ltrace%sshd%"), "debugger_ssh_attach",
    syscall="ptrace" AND (comm="gdb" OR comm="strace" OR comm="ltrace"), "ptrace_ssh_process",
    type="PATH" AND (name LIKE "/tmp/ssh-%" OR name LIKE "%/agent.%"), "ssh_socket_file_access",
    proctitle LIKE "%find%/tmp%agent%" OR proctitle LIKE "%find%ssh-%", "ssh_socket_enumeration",
    proctitle LIKE "%SSH_AUTH_SOCK%", "auth_sock_override",
    true(), "unknown"
  )
| eval risk_score=case(
    indicator="debugger_ssh_attach", 3,
    indicator="ptrace_ssh_process", 3,
    indicator="agent_key_enumeration", 2,
    indicator="socket_path_direct_access", 2,
    indicator="ssh_socket_enumeration", 2,
    indicator="auth_sock_override", 2,
    indicator="ssh_socket_file_access", 1,
    true(), 0
  )
| where risk_score > 0
| eval uid_auid_mismatch=if(uid!=auid AND auid!="-1" AND auid!="4294967295", 1, 0)
| eval adjusted_score=risk_score + uid_auid_mismatch
| table _time, host, uid, auid, comm, exe, proctitle, type, syscall, indicator, risk_score, uid_auid_mismatch, adjusted_score
| sort - adjusted_score - _time

high severity medium confidence

Data Sources

Process: Process Creation File: File Access Linux Auditd (EXECVE, SYSCALL, PATH record types) Syslog

Required Sourcetypes

linux_audit syslog

False Positives

Legitimate users running ssh-add -l to check loaded keys during normal development workflow — filter by correlating uid against the expected socket file owner
System administrators authorized to debug SSH daemon issues with strace on jump boxes or development servers — correlate with change management tickets
Security monitoring agents that enumerate /tmp socket files or process environments for compliance inventory purposes
SSH ControlMaster multiplexing (ControlPersist option) generating PATH auditd records for socket creation and access that superficially resemble hijacking activity
Privileged monitoring tools reading /proc/<pid>/environ to collect SSH_AUTH_SOCK values for session tracking in multi-user environments

Elastic Security (EQL)

eql

process where event.type == "start" and
  (
    (process.command_line : "*SSH_AUTH_SOCK*" and process.name : ("bash","sh","dash","zsh","python*","perl","ruby")) or
    (process.name : "ssh-add" and process.args : "-l" and
     process.parent.name : ("bash","sh","dash","zsh","python*","perl","ruby")) or
    (process.command_line : "*ssh-agent*" and
     process.parent.name : ("bash","sh","dash","zsh","python*","perl","ruby") and
     not process.args : ("-k","-s"))
  )

high severity medium confidence

Data Sources

Linux Process Events

Required Tables

logs-endpoint.events.process-*

False Positives

Legitimate SSH key management — users listing their own loaded keys with ssh-add -l during normal workflow, particularly on developer workstations and jump boxes
System administrators using gdb or strace for authorized debugging of SSH daemon issues on development or staging servers
Automated configuration management agents (Ansible, Chef, Puppet) that enumerate SSH-related processes or socket paths during host inventory collection
SSH multiplexing via ControlMaster that creates and accesses socket files in /tmp in ways structurally similar to hijacking sockets
Security scanning and endpoint agent tools that read /proc/<pid>/environ or enumerate /tmp to collect environment variables for compliance auditing

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "Image" as ProcessImage, "CommandLine" as CommandLine, "ParentImage" as ParentProcess,
  CASE WHEN "CommandLine" ILIKE '%SSH_AUTH_SOCK%' THEN 9
       WHEN "Image" ILIKE '%ssh-add%' AND "CommandLine" ILIKE '% -l%' THEN 8
       WHEN "CommandLine" ILIKE '%ssh-agent%' THEN 7
       ELSE 5 END as RiskScore
FROM events
WHERE eventid = 1
  AND (
    ("CommandLine" ILIKE '%SSH_AUTH_SOCK%' AND
     LOWER("Image") LIKE ANY ('%/bash%','%/sh%','%/python%','%/perl%','%/ruby%'))
    OR ("Image" ILIKE '%ssh-add%' AND "CommandLine" ILIKE '% -l%')
    OR ("CommandLine" ILIKE '%ssh-agent%' AND
        LOWER("ParentImage") LIKE ANY ('%/bash%','%/sh%','%/python%','%/perl%'))
  )
ORDER BY EventTime DESC

high severity medium confidence

Data Sources

Sysmon for Linux auditd

Required Tables

events

False Positives

Legitimate SSH key management — users listing their own loaded keys with ssh-add -l during normal workflow, particularly on developer workstations and jump boxes
System administrators using gdb or strace for authorized debugging of SSH daemon issues on development or staging servers
Automated configuration management agents (Ansible, Chef, Puppet) that enumerate SSH-related processes or socket paths during host inventory collection
SSH multiplexing via ControlMaster that creates and accesses socket files in /tmp in ways structurally similar to hijacking sockets
Security scanning and endpoint agent tools that read /proc/<pid>/environ or enumerate /tmp to collect environment variables for compliance auditing

Sumo Logic CSE

sql

_sourceCategory=linux/sysmon OR _sourceCategory=linux/audit
| json auto
| where EventID == "1"
| eval CmdLower = toLower(coalesce(CommandLine,""))
| eval ImageLower = toLower(coalesce(Image,""))
| eval ParentLower = toLower(coalesce(ParentImage,""))
| eval is_sock_access = if(CmdLower matches ".*ssh_auth_sock.*"
    AND ImageLower matches "(bash|sh|dash|zsh|python|perl|ruby)$", 1, 0)
| eval is_key_enum = if(ImageLower matches ".*/ssh-add$" AND CmdLower matches ".* -l.*", 1, 0)
| eval is_agent_use = if(CmdLower matches ".*ssh-agent.*"
    AND ParentLower matches "(bash|sh|python|perl|ruby)$"
    AND !CmdLower matches ".*(-k|-s).*", 1, 0)
| where is_sock_access == 1 OR is_key_enum == 1 OR is_agent_use == 1
| eval detection_type = if(is_sock_access == 1, "SSH_Sock_Access",
    if(is_key_enum == 1, "SSH_Key_Enumeration", "SSH_Agent_Hijack"))
| table _time, Computer, User, Image, CommandLine, ParentImage, detection_type
| sort by _time desc

high severity medium confidence

Data Sources

Sysmon for Linux via Sumo Logic Linux Audit via Sumo Logic

Required Tables

linux/sysmon linux/audit

False Positives

Legitimate SSH key management — users listing their own loaded keys with ssh-add -l during normal workflow, particularly on developer workstations and jump boxes
System administrators using gdb or strace for authorized debugging of SSH daemon issues on development or staging servers
Automated configuration management agents (Ansible, Chef, Puppet) that enumerate SSH-related processes or socket paths during host inventory collection
SSH multiplexing via ControlMaster that creates and accesses socket files in /tmp in ways structurally similar to hijacking sockets
Security scanning and endpoint agent tools that read /proc/<pid>/environ or enumerate /tmp to collect environment variables for compliance auditing

Google Chronicle / SecOps

yaral

rule ssh_agent_hijacking {
  meta:
    author = "Detection Engineering"
    description = "Detects SSH agent socket hijacking (T1563.001)"
    severity = "HIGH"
    tactic = "TA0008"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.command_line, `SSH_AUTH_SOCK`) nocase or
      (re.regex($e.target.process.file.full_path, `/ssh-add$`) nocase and
       $e.target.process.command_line = /\s-l/) or
      re.regex($e.target.process.command_line, `/tmp/ssh-`) nocase
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Linux Process Events via Chronicle UDM

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate SSH key management — users listing their own loaded keys with ssh-add -l during normal workflow, particularly on developer workstations and jump boxes
System administrators using gdb or strace for authorized debugging of SSH daemon issues on development or staging servers
Automated configuration management agents (Ansible, Chef, Puppet) that enumerate SSH-related processes or socket paths during host inventory collection
SSH multiplexing via ControlMaster that creates and accesses socket files in /tmp in ways structurally similar to hijacking sockets
Security scanning and endpoint agent tools that read /proc/<pid>/environ or enumerate /tmp to collect environment variables for compliance auditing

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| PlatformType = "9"
| (CommandLine = /SSH_AUTH_SOCK/i
   OR (ImageFileName = /ssh-add$/ AND CommandLine = /\s-l/)
   OR (CommandLine = /\/tmp\/ssh-/ AND ImageFileName = /(bash|sh|python|perl|ruby)$/i))
| eval detection_type = case {
    CommandLine = /SSH_AUTH_SOCK/i : "SSH_Socket_Access";
    ImageFileName = /ssh-add$/ : "SSH_Key_Enumeration";
    * : "SSH_Agent_Hijack"
  }
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, detection_type
| sort by timestamp desc

high severity medium confidence

Data Sources

CrowdStrike Falcon Process Events (Linux)

Required Tables

ProcessRollup2

False Positives

Legitimate SSH key management — users listing their own loaded keys with ssh-add -l during normal workflow, particularly on developer workstations and jump boxes
System administrators using gdb or strace for authorized debugging of SSH daemon issues on development or staging servers
Automated configuration management agents (Ansible, Chef, Puppet) that enumerate SSH-related processes or socket paths during host inventory collection
SSH multiplexing via ControlMaster that creates and accesses socket files in /tmp in ways structurally similar to hijacking sockets
Security scanning and endpoint agent tools that read /proc/<pid>/environ or enumerate /tmp to collect environment variables for compliance auditing

SSH Hijacking

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Lateral Movement

Popular Detections