Powered by: CyberDudeBivash Brand | cyberdudebivash.com
Related: cyberbivash.blogspot.com
Zero-days, exploit breakdowns, IOCs, detection rules & mitigation playbooks.
Executive Summary
SSH is one of the most abused legitimate tools in post-compromise activity. Once attackers obtain credentials or keys, SSH becomes a stealthy channel for persistence, lateral movement, and data staging.
This playbook provides SOC teams with practical SIEM detections, correlation logic, and response actions to detect SSH abuse early—before it escalates into ransomware or full domain compromise.
SSH abuse is rarely noisy. Detection must focus on behavior, not signatures.
Threat Overview: SSH Tool Abuse
Attackers abuse SSH for:
- Credential-based initial access
- Persistence via authorized_keys
- Lateral movement between servers
- Command execution and data staging
Because SSH is trusted by default, most environments fail to monitor it with sufficient depth.
Required Log Sources
- Linux auth logs (auth.log / secure)
- EDR telemetry (process + network)
- Network firewall logs
- Cloud audit logs (if applicable)
- Identity / IAM authentication logs
Without identity context, SSH detections lose effectiveness.
Core Detection Use Cases
UC-1: SSH Login from Unusual Source
Description: Successful SSH login from a source IP or country not previously associated with the user or host.
Detection Logic:
- Successful SSH authentication
- New source IP or ASN
- No historical baseline match
Severity: High
---UC-2: SSH Brute Force Followed by Success
Description: Multiple failed SSH attempts followed by a successful login.
Detection Logic:
- >10 failed SSH logins within 5 minutes
- Success from same source IP
Severity: Critical
---UC-3: New SSH Key Added (Persistence)
Description: Modification of authorized_keys file.
Detection Logic:
- File write to ~/.ssh/authorized_keys
- User not associated with admin activity
Severity: Critical
SSH key persistence is one of the most commonly missed attacker techniques.
UC-4: SSH Lateral Movement Pattern
Description: One host initiating SSH sessions to multiple internal systems.
Detection Logic:
- Single source host
- SSH connections to 3+ internal hosts
- Short time window (<15 minutes)
Severity: High
---UC-5: SSH Usage Outside Change Window
Description: SSH access outside approved maintenance hours.
Detection Logic:
- SSH login event
- Outside approved time window
- No active change ticket
Severity: Medium → High (context dependent)
SIEM Correlation Strategy
SSH detections should never stand alone. CyberDudeBivash recommends correlating:
- SSH + IAM anomalies
- SSH + EDR process execution
- SSH + unusual data access
Correlation reduces false positives and accelerates response.
SOC Response Playbook
Immediate Actions
- Isolate affected host (if suspicious)
- Disable compromised credentials or keys
- Capture session history and commands
Investigation Steps
- Review SSH command history
- Check for additional persistence mechanisms
- Identify lateral movement scope
Containment & Recovery
- Rotate all related credentials
- Audit SSH configurations globally
- Enable stricter key management
SOC Metrics to Track
- Mean time to detect SSH abuse
- Number of SSH key changes per month
- Lateral movement dwell time