This note documents detection patterns related to Credential Reuse on Linux systems.

Direct Indicators

Source	Grep Pattern / Artifact	Meaning	Forensic Value	Notes
Shell history	`ssh user@host` repeated across hosts	Same credential reused	Critical	Common lateral movement pattern.
Shell history	`sshpass -p`	Explicit password reuse	Critical	Strong operator indicator.
Shell history	`su - user`	Local credential reuse	Critical	Alternate account pivot.
Shell history	`sudo -u user`	Cross-account execution	High	May indicate credentialed pivot.
Auth logs	same account from multiple hosts	Reused valid account	Critical	Strong timeline signal.
Auth logs	rapid multi-host success	Credential spread	Critical	Strong lateral indicator.
`known_hosts`	many new hosts under same user	Broad reuse	High	Host expansion artifact.
SSH key use	same key across multiple systems	Key reuse	Critical	Common Linux lateral path.
`authorized_keys`	reused inserted key	Persistence + reuse	Critical	Strong credential chain.
`auditd`	repeated ssh/su/sudo execution	Process attribution	Critical	Best attribution if enabled.
Shell history	`scp` after repeated ssh	Credential-backed transfer	Critical	Confirms operational use.
Journald	multiple auth successes	Runtime clue	High	Useful across host timeline.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
Same account across internal servers	Lateral credential reuse	Critical	Strong compromise chain.
SSH key read then multi-host login	Key-driven movement	Critical	Common attacker progression.
Password auth after shadow access	Credential theft followed by use	Critical	Strong hostile sequence.
Dormant account suddenly multi-host active	Suspicious reuse	Critical	High anomaly value.
Same user plus sudo on multiple hosts	Broad privilege reuse	Critical	Strong campaign signal.
Reused key under service account	Suspicious context	Critical	Often exploitation-driven.

Common Tools

Tool	Usage
`ssh`	Credential-backed remote access.
`sshpass`	Password automation.
`su`	Local account pivot.
`sudo -u`	Alternate user execution.
`scp`	Transfer after credential reuse.

Relevant Artifacts

Artifact	Path / Command	Forensic Value	Notes
Auth logs	`/var/log/auth.log`, `/var/log/secure`	Critical	Primary reuse truth.
SSH keys	`~/.ssh/`	Critical	Key source.
Known hosts	`~/.ssh/known_hosts`	High	Host spread evidence.
Shell history	`.bash_history`	Critical	Command chain.
Audit logs	`/var/log/audit/audit.log`	Critical	Process attribution.

MITRE ATT&CK References

T1078 Valid Accounts
T1021.004 SSH
T1550 Use Alternate Authentication Material

Decision Tree

Was same credential used repeatedly?
Across which hosts?
Password or key?
Did reuse follow credential theft?
Did reuse enable privilege escalation?

Example Detection Templates

Grep

grep -R "ssh \|sshpass\|su - \|sudo -u " /home/*/.bash_history /root/.bash_history 2>/dev/null

Journalctl

journalctl | grep ssh

Sigma

title: Linux Credential Reuse
id: linux-credential-reuse
status: experimental
description: Detects repeated credential-backed access patterns across Linux hosts
logsource:
  product: linux
detection:
  selection_keywords:
    message|contains:
      - 'sshpass'
      - 'su -'
      - 'sudo -u'
  condition: selection_keywords
level: high
tags:
  - attack.lateral_movement
  - attack.t1078

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
MFA	Protect SSH and privileged accounts	Critical	Reduces reuse success.
Key hygiene	Rotate exposed keys	Critical	Limits spread.
Log correlation	Cross-host auth review	High	Detects reuse patterns.

Fast Triage Checks

Question	Command / Artifact	Why It Matters
Same account across hosts?	auth logs	Reuse proof.
Same key reused?	ssh artifacts	Lateral clue.
Followed credential theft?	correlate history	Attack chain.