SSH login from a remote system (via sshd), followed by user context execution of suspicious binaries or privilege escalation behavior.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:EXECVE | EXECVE |
| Logon Session Creation (DC0067) | linux:syslog | None |
| Network Traffic Flow (DC0078) | NSM:Flow | TCP port 22 traffic |
| Field | Description |
|---|---|
| TimeWindow | Defines correlation window from login to first post-SSH process (e.g., 60s) |
| SuspiciousProcessList | List of binaries considered unusual in SSH context (e.g., nc, base64, bash -i) |
| UsernameFilter | Accounts of interest for SSH logins (e.g., root, admin) |
SSH login detected via Unified Logs, followed by unusual process execution, especially outside normal user behavior patterns.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Metadata (DC0088) | macos:unifiedlog | process = 'sshd' |
| Network Traffic Content (DC0085) | macos:unifiedlog | process = 'ssh' OR eventMessage CONTAINS 'ssh' |
| Process Creation (DC0032) | macos:osquery | process_events |
| Field | Description |
|---|---|
| TimeWindow | Time range to correlate post-SSH activities (e.g., 45s) |
| UserContext | Define authorized users to reduce false positives |
| CommandLineKeywords | Suspicious terms like reverse shells, base64, curl |
SSH login via hostd or /var/log/auth.log, followed by CLI access to host shell or file manipulation in restricted areas.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Metadata (DC0088) | esxi:auth | None |
| Command Execution (DC0064) | esxi:shell | None |
| Network Traffic Flow (DC0078) | esxi:vmkernel | port 22 access |
| Field | Description |
|---|---|
| AllowedUsers | Legitimate SSH users to this host |
| TimeWindow | Correlate SSH login and unauthorized commands or shell access |
| CommandList | Flag commands like esxcli, rm, chmod post-login |