This note documents detection patterns related to Successful SSH Compromise on Linux systems.

Direct Indicators

Source	Grep Pattern / Artifact	Meaning	Forensic Value	Notes
`/var/log/auth.log` / `/var/log/secure`	`Accepted password`	Successful password-based SSH login	Critical	Primary successful SSH authentication indicator.
`/var/log/auth.log` / `/var/log/secure`	`Accepted publickey`	Successful SSH key authentication	Critical	Indicates key-based access, legitimate or malicious.
`/var/log/auth.log` / `/var/log/secure`	`session opened for user`	Session fully established	Critical	Confirms shell entry after authentication.
`/var/log/auth.log` / `/var/log/secure`	`pam_unix(sshd:session)`	PAM session creation	High	Confirms authenticated session lifecycle.
`/var/log/auth.log` / `/var/log/secure`	`Received disconnect`	Session termination	Medium	Helps define session boundaries.
`/var/log/auth.log` / `/var/log/secure`	`Connection closed`	SSH session ended	Medium	Useful for short-lived attacker sessions.
`journalctl`	sshd accepted login records	Journald authentication success evidence	Critical	Essential where flat logs absent.
`wtmp`	Successful login entry	Historical session evidence	Critical	Used by `last`.
`last`	Session listing	Login chronology	Critical	Fast successful session review.
`lastlog`	User login timestamp	Account usage baseline	High	Identifies recent unexpected account use.
Shell history	command execution after login	Immediate operator activity	Critical	Often strongest post-auth evidence.
`auditd`	execve after sshd session	Process lineage after login	Critical	Best process truth if enabled.
`sshd` child process telemetry	per-session sshd child	Session-linked process context	High	Useful in EDR / audit environments.
Network telemetry	TCP/22 session fully established	Remote shell channel confirmed	High	Useful if host logs partial.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
Successful login immediately after failures	`Accepted password` following brute force burst	Critical	Strong compromise signal.
New geography or ASN	Source IP inconsistent with normal operator behavior	High	Important contextual signal.
Service account interactive login	Non-human account entering shell	Critical	Often highly suspicious.
Root login success	Direct privileged access	Critical	Very high severity if unexpected.
Short session followed by persistence	Quick login then cron/key/user changes	Critical	Common attacker stabilization pattern.
Login during maintenance silence	Off-hours access	High	Context strengthens suspicion.
New account used for first time	Fresh account immediately used via SSH	Critical	Often persistence validation.
SSH key login without known deployment	Unexpected key acceptance	Critical	Often hidden persistence.
Successful login followed by sudo	Immediate escalation behavior	Critical	Strong attacker signal.
Same IP later opens outbound connections	Foothold used operationally	Critical	Indicates active intrusion chain.

Common Tools

Tool	Usage
Native `ssh`	Standard operator access after credential theft.
`sshpass`	Password-based automation or scripted attacker access.
Stolen private keys	Direct key-based compromise.
ProxyChains / pivots	Routed SSH through prior footholds.
Cloud console credential reuse	Legitimate-looking SSH via stolen infra credentials.
Automated post-brute scripts	Immediate command execution after successful login.

Relevant Artifacts

Artifact	Path / Command	Forensic Value	Notes
SSH auth logs	`/var/log/auth.log`, `/var/log/secure`	Critical	Primary login source.
Journald SSH logs	`journalctl -u ssh`, `journalctl -u sshd`	Critical	Required on many modern hosts.
Successful login database	`/var/log/wtmp`	Critical	Used by `last`.
Login summaries	`last`, `lastlog`	Critical	Fast session review.
Failed login history	`/var/log/btmp`, `lastb`	High	Must correlate preceding brute force.
Shell history	`~/.bash_history`, `/root/.bash_history`	Critical	Session actions after entry.
SSH key files	`~/.ssh/authorized_keys`	Critical	Key compromise / persistence linkage.
SSH daemon config	`/etc/ssh/sshd_config`	High	Determine accepted auth methods.
Audit logs	`/var/log/audit/audit.log`	Critical	Process lineage after login.
Sudo logs	auth logs / journal	Critical	Immediate escalation pivot.
Home directory timestamps	`stat /home/<user>`	High	Session artifact timing.

MITRE ATT&CK References

T1021.004 SSH
T1078 Valid Accounts
T1078.003 Local Accounts
T1098 Account Manipulation

Decision Tree

Is successful SSH present?
- Identify Accepted password or Accepted publickey.
Which account logged in?
- Determine whether user is expected, privileged, service-like, or newly created.
From where?
- Review source IP, ASN, geography, previous history.
What preceded success?
- Check brute force, password spray, previous failures.
What happened immediately after login?
- Shell history, sudo, file changes, outbound connections.
Pivot
- User → shell history / privilege use.
- Source IP → recurrence / threat intel / host correlation.
- Session window → persistence actions.
Confirm compromise
- Unexpected account + suspicious IP + immediate operator activity = likely intrusion.

Example Detection Templates

Grep

grep "Accepted password" /var/log/auth.log /var/log/secure 2>/dev/null

grep "Accepted publickey" /var/log/auth.log /var/log/secure 2>/dev/null

grep -E "Accepted password|Accepted publickey|session opened for user" /var/log/auth.log /var/log/secure 2>/dev/null

grep "Accepted password" /var/log/auth.log | tail -50

Journalctl

journalctl -u ssh | grep "Accepted"

journalctl -u sshd | grep "session opened"

Login Databases

last

lastlog

Sigma

title: Linux Successful SSH Login
id: linux-successful-ssh-login
status: experimental
description: Detects successful SSH authentication that may indicate valid account compromise
logsource:
  product: linux
  service: auth
detection:
  selection:
    message|contains:
      - 'Accepted password'
      - 'Accepted publickey'
      - 'session opened for user'
  condition: selection
fields:
  - message
  - hostname
  - source_ip
falsepositives:
  - Legitimate remote administration
  - Automation
level: medium
tags:
  - attack.initial_access
  - attack.t1021.004
  - attack.t1078

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
SSH authentication	Prefer key auth with strong key governance	High	Reduces password compromise risk.
Password auth	Disable where possible	Critical	Removes brute-force credential entry path.
Root login	Disable direct root SSH	Critical	Removes highest-risk direct privilege entry.
MFA	Add second factor	High	Stops valid password-only compromise.
Source restrictions	Restrict SSH to trusted ranges	Critical	Major reduction of exposure.
Logging retention	Preserve auth and session logs	High	Essential for compromise reconstruction.
Key hygiene	Review authorized keys regularly	High	Prevents silent key persistence.

Fast Triage Checks

Question	Command / Artifact	Why It Matters
Who logged in recently?	`last`	Establish active session timeline.
Was login password or key?	grep accepted auth method	Determines likely attack path.
Was success preceded by failures?	grep failures before success	Identifies brute-force transition.
What commands ran after login?	shell history	Immediate operator evidence.
Was sudo used?	grep sudo in auth logs	Escalation detection.
Was persistence added?	inspect cron, keys, users	Attacker stabilization.

High Value Grep Strings

Pattern	Why It Matters
`Accepted password`	Primary password success marker.
`Accepted publickey`	Key-based session established.
`session opened for user`	Session fully opened.
`pam_unix(sshd:session)`	PAM-backed successful session lifecycle.
`Received disconnect`	Session boundary evidence.
`Connection closed`	Useful for duration estimation.

Analyst Notes

Scenario	Interpretation
Success after brute force burst	High-confidence credential compromise.
Publickey success on unexpected account	Likely SSH key persistence or stolen key.
Root success with unknown IP	High severity immediate escalation lead.
Very short login + file changes	Fast operator stabilization behavior.
Success with no shell history	Non-interactive command, cleanup, or history tampering possible.
Service account login	Often highly suspicious unless explicitly expected.