Detect SSH Hijacking in Microsoft Sentinel
Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. This technique exploits trust relationships established via public key authentication by taking over existing SSH connections rather than creating new ones. The primary attack vector involves accessing the SSH agent socket (typically at /tmp/ssh-XXXXX/agent.NNNN), which allows any process with access to the socket to authenticate as the session owner without knowing their password or private key. With root access, an attacker can enumerate all SSH agent sockets on the system, set SSH_AUTH_SOCK to point to a victim's agent socket, and transparently use loaded SSH keys to authenticate to remote systems. More invasive methods include using ptrace-capable debuggers (gdb, strace) to inject commands into active SSH sessions or extract credentials from sshd process memory. MEDUSA malware has been documented using SSH hijacking for credential capture, and the technique has been leveraged by UNC3886 in post-exploitation lateral movement campaigns.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1563 Remote Service Session Hijacking
- Sub-technique
- T1563.001 SSH Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1563/001/
KQL Detection Query
let SSHHijackProcessEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
// SSH agent socket direct path reference in command line
ProcessCommandLine has "/tmp/ssh-"
// Listing loaded SSH keys from an agent (reconnaissance for hijacking)
or (FileName =~ "ssh-add" and ProcessCommandLine has "-l")
// Searching /tmp for SSH agent socket files
or (FileName =~ "find" and ProcessCommandLine has "/tmp" and ProcessCommandLine has_any ("agent", "ssh-"))
// Debugger attachment to SSH processes (ptrace-based session injection)
or (FileName in~ ("gdb", "strace", "ltrace") and ProcessCommandLine has_any ("sshd", "ssh-agent"))
// SSH_AUTH_SOCK environment override (hijacking agent socket)
or (FileName =~ "ssh" and ProcessCommandLine has "SSH_AUTH_SOCK=")
)
| extend IsSocketEnum = ProcessCommandLine has_any ("/tmp/ssh-", "agent.")
| extend IsAgentKeyList = (FileName =~ "ssh-add" and ProcessCommandLine has "-l")
| extend IsDebuggerAttach = (FileName in~ ("gdb", "strace", "ltrace") and ProcessCommandLine has_any ("sshd", "ssh-agent"))
| extend IsSocketSearch = (FileName =~ "find" and ProcessCommandLine has "/tmp" and ProcessCommandLine has_any ("agent", "ssh-"))
| extend IsAuthSockOverride = (ProcessCommandLine has "SSH_AUTH_SOCK=");
let SSHHijackFileEvents = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath startswith "/tmp/ssh-"
| where ActionType in ("FileAccessed", "FileRead", "FileCreated")
// Exclude legitimate SSH daemon and agent processes
| where InitiatingProcessFileName !in~ ("sshd", "ssh-agent")
| extend IsSocketEnum = true
| extend IsAgentKeyList = false
| extend IsDebuggerAttach = false
| extend IsSocketSearch = false
| extend IsAuthSockOverride = false;
SSHHijackProcessEvents
| extend EventType = "ProcessEvent"
| extend ProcessCmdLine = ProcessCommandLine
| union (
SSHHijackFileEvents
| extend EventType = "FileAccessEvent"
| extend ProcessCmdLine = InitiatingProcessCommandLine
| extend FileName = InitiatingProcessFileName
| extend AccountName = AccountName
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCmdLine,
EventType, IsSocketEnum, IsAgentKeyList, IsDebuggerAttach, IsSocketSearch, IsAuthSockOverride
| sort by Timestamp descDetects SSH agent hijacking attempts on Linux and macOS using Microsoft Defender for Endpoint telemetry. Identifies the full attack lifecycle: SSH agent socket path discovery (find /tmp ... agent), key enumeration from hijacked agents (ssh-add -l), debugger attachment to SSH processes for session injection (gdb/strace against sshd), explicit SSH_AUTH_SOCK overrides indicating cross-user agent use, and direct file access to SSH agent sockets by non-SSH processes. Combines DeviceProcessEvents and DeviceFileEvents into a unified view. Note: Requires MDE sensor deployment on Linux/macOS endpoints.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate SSH key management — users listing their own loaded keys with ssh-add -l during normal workflow, particularly on developer workstations and jump boxes
- System administrators using gdb or strace for authorized debugging of SSH daemon issues on development or staging servers
- Automated configuration management agents (Ansible, Chef, Puppet) that enumerate SSH-related processes or socket paths during host inventory collection
- SSH multiplexing via ControlMaster that creates and accesses socket files in /tmp in ways structurally similar to hijacking sockets
- Security scanning and endpoint agent tools that read /proc/<pid>/environ or enumerate /tmp to collect environment variables for compliance auditing
Other platforms for T1563.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SSH Agent Socket Enumeration
Expected signal: Linux auditd EXECVE record: proctitle containing 'find /tmp agent' or 'ls /tmp/ssh-'. Linux auditd PATH records: NORMAL nametype entries for any /tmp/ssh-*/agent.* files accessed during directory listing. MDE DeviceProcessEvents: FileName=find, ProcessCommandLine containing '/tmp' and 'agent'. Syslog may capture the commands via shell audit logging if configured.
- Test 2SSH Agent Key Listing via Captured Socket Path
Expected signal: Linux auditd EXECVE: proctitle 'ssh-add -l'. Linux auditd PATH: access to /tmp/ssh-*/agent.* socket file. MDE DeviceProcessEvents: FileName=ssh-add, ProcessCommandLine containing '-l'. The SSH_AUTH_SOCK environment variable visible in /proc/<pid>/environ for the ssh-add process. DeviceFileEvents: FileAccessed on the socket path.
- Test 3GDB Attach to SSH Process — Ptrace Session Inspection
Expected signal: Linux auditd SYSCALL: syscall=ptrace with comm=gdb and the target PID as the a1 (addr) argument. Linux auditd EXECVE: proctitle 'gdb -q -p <pid>' or 'gdb -p <pid>'. MDE DeviceProcessEvents: FileName=gdb, ProcessCommandLine containing '-p' and a process ID. The ptrace SYSCALL record type will show PTRACE_ATTACH (a0=16) targeting the sleep/sshd PID.
- Test 4Cross-User SSH Agent Socket Access via Privilege Escalation
Expected signal: Linux auditd SYSCALL: uid=0 (root from sudo), auid=<original_user_uid> (attacker's real identity) — this uid/auid divergence is the forensic signature of the attack. EXECVE records for sudo and ssh-add. PATH record showing access to the victim's socket at SSH_AUTH_SOCK path. MDE DeviceProcessEvents: sudo + ssh-add process chain with the victim's socket path in command line environment.
References (10)
- https://attack.mitre.org/techniques/T1563/001/
- https://www.blackhat.com/presentations/bh-usa-05/bh-us-05-boileau.pdf
- https://web.archive.org/web/20210311184303/https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking/
- https://www.slideshare.net/morisson/mistrusting-and-abusing-ssh-13526219
- https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident/
- https://cloud.google.com/blog/topics/threat-intelligence/unc3886-uses-fortinet-vmware-0-days
- https://man7.org/linux/man-pages/man2/ptrace.2.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.001/T1563.001.md
- https://linux-audit.com/linux-auditd-best-practice-configuration/
- https://falco.org/docs/rules/default-ruleset/
Unlock Pro Content
Get the full detection package for T1563.001 including response playbook, investigation guide, and atomic red team tests.