Detect SSH Hijacking in IBM QRadar
Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. This technique exploits trust relationships established via public key authentication by taking over existing SSH connections rather than creating new ones. The primary attack vector involves accessing the SSH agent socket (typically at /tmp/ssh-XXXXX/agent.NNNN), which allows any process with access to the socket to authenticate as the session owner without knowing their password or private key. With root access, an attacker can enumerate all SSH agent sockets on the system, set SSH_AUTH_SOCK to point to a victim's agent socket, and transparently use loaded SSH keys to authenticate to remote systems. More invasive methods include using ptrace-capable debuggers (gdb, strace) to inject commands into active SSH sessions or extract credentials from sshd process memory. MEDUSA malware has been documented using SSH hijacking for credential capture, and the technique has been leveraged by UNC3886 in post-exploitation lateral movement campaigns.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1563 Remote Service Session Hijacking
- Sub-technique
- T1563.001 SSH Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1563/001/
QRadar Detection Query
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
logsourcename(logsourceid) as LogSource, username as User,
"Image" as ProcessImage, "CommandLine" as CommandLine, "ParentImage" as ParentProcess,
CASE WHEN "CommandLine" ILIKE '%SSH_AUTH_SOCK%' THEN 9
WHEN "Image" ILIKE '%ssh-add%' AND "CommandLine" ILIKE '% -l%' THEN 8
WHEN "CommandLine" ILIKE '%ssh-agent%' THEN 7
ELSE 5 END as RiskScore
FROM events
WHERE eventid = 1
AND (
("CommandLine" ILIKE '%SSH_AUTH_SOCK%' AND
LOWER("Image") LIKE ANY ('%/bash%','%/sh%','%/python%','%/perl%','%/ruby%'))
OR ("Image" ILIKE '%ssh-add%' AND "CommandLine" ILIKE '% -l%')
OR ("CommandLine" ILIKE '%ssh-agent%' AND
LOWER("ParentImage") LIKE ANY ('%/bash%','%/sh%','%/python%','%/perl%'))
)
ORDER BY EventTime DESCDetects SSH agent hijacking via process creation patterns showing unauthorized access to SSH_AUTH_SOCK in QRadar.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate SSH key management — users listing their own loaded keys with ssh-add -l during normal workflow, particularly on developer workstations and jump boxes
- System administrators using gdb or strace for authorized debugging of SSH daemon issues on development or staging servers
- Automated configuration management agents (Ansible, Chef, Puppet) that enumerate SSH-related processes or socket paths during host inventory collection
- SSH multiplexing via ControlMaster that creates and accesses socket files in /tmp in ways structurally similar to hijacking sockets
- Security scanning and endpoint agent tools that read /proc/<pid>/environ or enumerate /tmp to collect environment variables for compliance auditing
Other platforms for T1563.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SSH Agent Socket Enumeration
Expected signal: Linux auditd EXECVE record: proctitle containing 'find /tmp agent' or 'ls /tmp/ssh-'. Linux auditd PATH records: NORMAL nametype entries for any /tmp/ssh-*/agent.* files accessed during directory listing. MDE DeviceProcessEvents: FileName=find, ProcessCommandLine containing '/tmp' and 'agent'. Syslog may capture the commands via shell audit logging if configured.
- Test 2SSH Agent Key Listing via Captured Socket Path
Expected signal: Linux auditd EXECVE: proctitle 'ssh-add -l'. Linux auditd PATH: access to /tmp/ssh-*/agent.* socket file. MDE DeviceProcessEvents: FileName=ssh-add, ProcessCommandLine containing '-l'. The SSH_AUTH_SOCK environment variable visible in /proc/<pid>/environ for the ssh-add process. DeviceFileEvents: FileAccessed on the socket path.
- Test 3GDB Attach to SSH Process — Ptrace Session Inspection
Expected signal: Linux auditd SYSCALL: syscall=ptrace with comm=gdb and the target PID as the a1 (addr) argument. Linux auditd EXECVE: proctitle 'gdb -q -p <pid>' or 'gdb -p <pid>'. MDE DeviceProcessEvents: FileName=gdb, ProcessCommandLine containing '-p' and a process ID. The ptrace SYSCALL record type will show PTRACE_ATTACH (a0=16) targeting the sleep/sshd PID.
- Test 4Cross-User SSH Agent Socket Access via Privilege Escalation
Expected signal: Linux auditd SYSCALL: uid=0 (root from sudo), auid=<original_user_uid> (attacker's real identity) — this uid/auid divergence is the forensic signature of the attack. EXECVE records for sudo and ssh-add. PATH record showing access to the victim's socket at SSH_AUTH_SOCK path. MDE DeviceProcessEvents: sudo + ssh-add process chain with the victim's socket path in command line environment.
References (10)
- https://attack.mitre.org/techniques/T1563/001/
- https://www.blackhat.com/presentations/bh-usa-05/bh-us-05-boileau.pdf
- https://web.archive.org/web/20210311184303/https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking/
- https://www.slideshare.net/morisson/mistrusting-and-abusing-ssh-13526219
- https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident/
- https://cloud.google.com/blog/topics/threat-intelligence/unc3886-uses-fortinet-vmware-0-days
- https://man7.org/linux/man-pages/man2/ptrace.2.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.001/T1563.001.md
- https://linux-audit.com/linux-auditd-best-practice-configuration/
- https://falco.org/docs/rules/default-ruleset/
Unlock Pro Content
Get the full detection package for T1563.001 including response playbook, investigation guide, and atomic red team tests.