Suspicious reuse of SSH agent sockets across multiple users or processes, anomalous access to ~/.ssh/ or /tmp/ssh-* sockets, and abnormal patterns of lateral movement via SSH without new authentication events. Defender view: detect when one process accesses another user's SSH agent or when an existing SSH connection is used to pivot unexpectedly.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | auditd:SYSCALL | open or connect syscalls on /tmp/ssh-* or $SSH_AUTH_SOCK |
| Process Creation (DC0032) | auditd:EXECVE | Execution of ssh/scp/sftp without corresponding authentication log |
| Logon Session Creation (DC0067) | NSM:Connections | Missing new login event but session activity continues |
| Field | Description |
|---|---|
| UserContext | Tune alerts for cross-user access to SSH agent sockets. |
| TimeWindow | Correlate lack of authentication with lateral SSH activity within a short timeframe. |
Unusual access to SSH agent sockets in /tmp/ or /private/tmp, process access to another user’s $SSH_AUTH_SOCK, and lateral SSH activity without corresponding login events. Defender view: correlation of socket access with anomalous network flows to internal systems.
| Data Component | Name | Channel |
|---|---|---|
| Process Metadata (DC0034) | macos:unifiedlog | Process opening SSH_AUTH_SOCK or /tmp/ssh-* socket not owned by same UID |
| Process Creation (DC0032) | macos:unifiedlog | Execution of ssh or sftp without corresponding login event |
| Logon Session Creation (DC0067) | macos:unifiedlog | Session reuse without new auth event |
| Field | Description |
|---|---|
| SocketPathScope | Limit detection to monitored SSH agent socket directories. |
| BaselineUsers | Establish normal SSH agent ownership and expected usage for tuning. |