Detect SSH Hijacking in Splunk
Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. This technique exploits trust relationships established via public key authentication by taking over existing SSH connections rather than creating new ones. The primary attack vector involves accessing the SSH agent socket (typically at /tmp/ssh-XXXXX/agent.NNNN), which allows any process with access to the socket to authenticate as the session owner without knowing their password or private key. With root access, an attacker can enumerate all SSH agent sockets on the system, set SSH_AUTH_SOCK to point to a victim's agent socket, and transparently use loaded SSH keys to authenticate to remote systems. More invasive methods include using ptrace-capable debuggers (gdb, strace) to inject commands into active SSH sessions or extract credentials from sshd process memory. MEDUSA malware has been documented using SSH hijacking for credential capture, and the technique has been leveraged by UNC3886 in post-exploitation lateral movement campaigns.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1563 Remote Service Session Hijacking
- Sub-technique
- T1563.001 SSH Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1563/001/
SPL Detection Query
index=linux_logs (sourcetype="linux_audit" OR sourcetype="syslog")
(
(type="EXECVE" (proctitle="*ssh-add*-l*" OR proctitle="*-l*ssh-add*"))
OR (type="EXECVE" proctitle="*/tmp/ssh-*")
OR (type="EXECVE" (proctitle="*gdb*sshd*" OR proctitle="*strace*sshd*" OR proctitle="*ltrace*sshd*"))
OR (type="SYSCALL" syscall="ptrace" (comm="gdb" OR comm="strace" OR comm="ltrace"))
OR (type="PATH" (name="/tmp/ssh-*" OR name="*/agent.*"))
OR (type="EXECVE" (proctitle="*find*/tmp*agent*" OR proctitle="*find*ssh-*"))
OR (type="EXECVE" proctitle="*SSH_AUTH_SOCK*")
)
| eval indicator=case(
proctitle LIKE "%ssh-add%-l%" OR proctitle LIKE "%-l%ssh-add%", "agent_key_enumeration",
proctitle LIKE "%/tmp/ssh-%", "socket_path_direct_access",
(proctitle LIKE "%gdb%sshd%" OR proctitle LIKE "%strace%sshd%" OR proctitle LIKE "%ltrace%sshd%"), "debugger_ssh_attach",
syscall="ptrace" AND (comm="gdb" OR comm="strace" OR comm="ltrace"), "ptrace_ssh_process",
type="PATH" AND (name LIKE "/tmp/ssh-%" OR name LIKE "%/agent.%"), "ssh_socket_file_access",
proctitle LIKE "%find%/tmp%agent%" OR proctitle LIKE "%find%ssh-%", "ssh_socket_enumeration",
proctitle LIKE "%SSH_AUTH_SOCK%", "auth_sock_override",
true(), "unknown"
)
| eval risk_score=case(
indicator="debugger_ssh_attach", 3,
indicator="ptrace_ssh_process", 3,
indicator="agent_key_enumeration", 2,
indicator="socket_path_direct_access", 2,
indicator="ssh_socket_enumeration", 2,
indicator="auth_sock_override", 2,
indicator="ssh_socket_file_access", 1,
true(), 0
)
| where risk_score > 0
| eval uid_auid_mismatch=if(uid!=auid AND auid!="-1" AND auid!="4294967295", 1, 0)
| eval adjusted_score=risk_score + uid_auid_mismatch
| table _time, host, uid, auid, comm, exe, proctitle, type, syscall, indicator, risk_score, uid_auid_mismatch, adjusted_score
| sort - adjusted_score - _timeDetects SSH agent hijacking attempts using Linux auditd telemetry in Splunk. Analyzes EXECVE process arguments (proctitle field), SYSCALL ptrace records indicating debugger attachment to SSH processes, and PATH audit records showing access to SSH agent socket files in /tmp. Assigns a risk score per indicator type with debugger attachment to sshd scoring highest (3). Includes uid vs auid mismatch detection — when the effective user (uid) differs from the original login user (auid), it indicates privilege escalation context. Note: proctitle in auditd PROCTITLE records may require hex decoding; the Splunk Add-on for Unix and Linux automatically decodes this field. Ensure auditd rules include: -a always,exit -F arch=b64 -S ptrace and -w /tmp -p war -k ssh_socket_watch.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate users running ssh-add -l to check loaded keys during normal development workflow — filter by correlating uid against the expected socket file owner
- System administrators authorized to debug SSH daemon issues with strace on jump boxes or development servers — correlate with change management tickets
- Security monitoring agents that enumerate /tmp socket files or process environments for compliance inventory purposes
- SSH ControlMaster multiplexing (ControlPersist option) generating PATH auditd records for socket creation and access that superficially resemble hijacking activity
- Privileged monitoring tools reading /proc/<pid>/environ to collect SSH_AUTH_SOCK values for session tracking in multi-user environments
Other platforms for T1563.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SSH Agent Socket Enumeration
Expected signal: Linux auditd EXECVE record: proctitle containing 'find /tmp agent' or 'ls /tmp/ssh-'. Linux auditd PATH records: NORMAL nametype entries for any /tmp/ssh-*/agent.* files accessed during directory listing. MDE DeviceProcessEvents: FileName=find, ProcessCommandLine containing '/tmp' and 'agent'. Syslog may capture the commands via shell audit logging if configured.
- Test 2SSH Agent Key Listing via Captured Socket Path
Expected signal: Linux auditd EXECVE: proctitle 'ssh-add -l'. Linux auditd PATH: access to /tmp/ssh-*/agent.* socket file. MDE DeviceProcessEvents: FileName=ssh-add, ProcessCommandLine containing '-l'. The SSH_AUTH_SOCK environment variable visible in /proc/<pid>/environ for the ssh-add process. DeviceFileEvents: FileAccessed on the socket path.
- Test 3GDB Attach to SSH Process — Ptrace Session Inspection
Expected signal: Linux auditd SYSCALL: syscall=ptrace with comm=gdb and the target PID as the a1 (addr) argument. Linux auditd EXECVE: proctitle 'gdb -q -p <pid>' or 'gdb -p <pid>'. MDE DeviceProcessEvents: FileName=gdb, ProcessCommandLine containing '-p' and a process ID. The ptrace SYSCALL record type will show PTRACE_ATTACH (a0=16) targeting the sleep/sshd PID.
- Test 4Cross-User SSH Agent Socket Access via Privilege Escalation
Expected signal: Linux auditd SYSCALL: uid=0 (root from sudo), auid=<original_user_uid> (attacker's real identity) — this uid/auid divergence is the forensic signature of the attack. EXECVE records for sudo and ssh-add. PATH record showing access to the victim's socket at SSH_AUTH_SOCK path. MDE DeviceProcessEvents: sudo + ssh-add process chain with the victim's socket path in command line environment.
References (10)
- https://attack.mitre.org/techniques/T1563/001/
- https://www.blackhat.com/presentations/bh-usa-05/bh-us-05-boileau.pdf
- https://web.archive.org/web/20210311184303/https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking/
- https://www.slideshare.net/morisson/mistrusting-and-abusing-ssh-13526219
- https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident/
- https://cloud.google.com/blog/topics/threat-intelligence/unc3886-uses-fortinet-vmware-0-days
- https://man7.org/linux/man-pages/man2/ptrace.2.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.001/T1563.001.md
- https://linux-audit.com/linux-auditd-best-practice-configuration/
- https://falco.org/docs/rules/default-ruleset/
Unlock Pro Content
Get the full detection package for T1563.001 including response playbook, investigation guide, and atomic red team tests.