This note documents detection patterns related to SSH Lateral Movement on Linux systems.
Direct Indicators
| Source | Grep Pattern / Artifact | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Shell history | ssh user@host | Remote host access initiated | Critical | Primary lateral movement indicator. |
| Shell history | scp | File transfer to another host | Critical | Common lateral staging method. |
| Shell history | rsync -e ssh | SSH-based transfer | High | Often used for stealthier movement. |
| Shell history | ssh -i | Explicit key usage | Critical | Indicates controlled credential use. |
| Shell history | ProxyCommand | Pivoted SSH movement | Critical | Advanced lateral movement signal. |
| Shell history | sshpass | Password-based automated movement | Critical | Strong operator indicator. |
auth.log / secure | outbound SSH accepted on target | Target-side remote login | Critical | Confirms remote entry. |
auth.log / secure | local accepted outbound identity | Source-side key usage context | High | Source attribution. |
known_hosts | new remote host entry | Host reached | Critical | Strong pivot artifact. |
authorized_keys | key reused across hosts | Credential spread | High | Lateral persistence clue. |
auditd | execve of ssh/scp/rsync | Process attribution | Critical | Best attribution if enabled. |
journalctl | ssh invocation | Runtime clue | High | Depends on logging depth. |
| Network telemetry | outbound TCP/22 to internal host | Internal movement | Critical | Strong network proof. |
| File timestamps | known_hosts updated | Timeline anchor | High | Correlates movement window. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| SSH immediately after foothold | Expansion from first host | Critical | Common attacker progression. |
| Internal IP targets | East-west movement | Critical | Strong lateral signal. |
| Same key on multiple hosts | Credential reuse | Critical | Cross-host compromise clue. |
| SSH to dormant admin server | Unusual target choice | High | Context strengthens suspicion. |
| File transfer before login elsewhere | Payload staging | Critical | Strong operational sequence. |
| SSH from service account | Highly suspicious | Critical | Often exploitation context. |
| known_hosts suddenly populated | Broad movement | High | Strong artifact when shell history missing. |
| ProxyCommand used | Pivot chain | Critical | Advanced operator behavior. |
| SSH plus sudo on target | Escalation after movement | Critical | Multi-host compromise chain. |
| Internal SSH burst to many hosts | Enumeration + movement | Critical | Strong campaign signal. |
Common Tools
| Tool | Usage |
|---|---|
ssh | Standard remote movement. |
scp | Payload transfer. |
rsync | Bulk file transfer. |
sshpass | Password automation. |
ProxyCommand | Pivot through intermediate host. |
ProxyJump | Modern SSH pivoting. |
Relevant Artifacts
| Artifact | Path / Command | Forensic Value | Notes |
|---|---|---|---|
| Shell history | .bash_history, .zsh_history | Critical | Primary source movement evidence. |
| Known hosts | ~/.ssh/known_hosts | Critical | Remote host contact truth. |
| SSH config | ~/.ssh/config | High | Custom pivot definitions. |
| SSH keys | ~/.ssh/ | Critical | Credential source. |
| Auth logs | /var/log/auth.log, /var/log/secure | Critical | Source and target login evidence. |
| Audit logs | /var/log/audit/audit.log | Critical | Process attribution. |
| Network logs | flow / firewall / EDR | Critical | Internal TCP/22 movement. |
| Target host logs | remote auth evidence | Critical | Confirms second host compromise. |
MITRE ATT&CK References
- T1021 Remote Services
- T1021.004 SSH
- T1078 Valid Accounts
- T1105 Ingress Tool Transfer
Decision Tree
-
Was outbound SSH used?
- Search shell history and network logs.
-
Which target host?
- Internal IP, hostname, role.
-
Which credential?
- Password, key, explicit identity.
-
Was file transfer involved?
- SCP, rsync, copied payloads.
-
Did target show login?
- Confirm on remote logs.
-
Pivot
- known_hosts → host list.
- SSH key → credential spread.
- Target → persistence or escalation.
-
Confirm lateral movement
- Outbound SSH + target login + credential artifact = strong lateral movement.
Example Detection Templates
Grep
grep -R "ssh \|scp \|rsync -e ssh\|sshpass\|ProxyCommand\|ProxyJump" /home/*/.bash_history /root/.bash_history 2>/dev/null
grep -R "Host " /home/*/.ssh/config /root/.ssh/config 2>/dev/null
grep -R "" /home/*/.ssh/known_hosts /root/.ssh/known_hosts 2>/dev/null
Journalctl
journalctl | grep ssh
File Inspection
stat ~/.ssh/known_hosts
find /home /root -name known_hosts 2>/dev/null
Sigma
title: Linux SSH Lateral Movement
id: linux-ssh-lateral-movement
status: experimental
description: Detects SSH usage patterns consistent with internal lateral movement
logsource:
product: linux
detection:
selection_keywords:
message|contains:
- 'ssh '
- 'scp '
- 'sshpass'
- 'ProxyCommand'
condition: selection_keywords
fields:
- message
- hostname
falsepositives:
- Legitimate administration
level: high
tags:
- attack.lateral_movement
- attack.t1021.004
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Key governance | Limit SSH key spread | Critical | Reduces credential reuse. |
| Internal segmentation | Restrict east-west SSH | Critical | Major movement barrier. |
| Logging | Preserve source and target SSH logs | High | Needed for chain reconstruction. |
| Auditd | Track ssh/scp execve | High | Strong attribution. |
| MFA / bastions | Centralize privileged SSH | High | Reduces direct host-to-host movement. |
| Known host review | Monitor unusual growth | Medium | Useful artifact anomaly. |
Fast Triage Checks
| Question | Command / Artifact | Why It Matters |
|---|---|---|
| Was ssh used outbound? | grep history | Immediate movement check. |
| Which hosts were touched? | known_hosts | Host pivot list. |
| Was key used? | inspect ssh -i / keys | Credential clue. |
| Was file transferred? | scp / rsync history | Payload movement clue. |
| Did target confirm login? | target auth logs | Proof of movement. |
| Did target gain persistence? | inspect remote artifacts | Chain continuation. |
High Value Grep Strings
| Pattern | Why It Matters |
|---|---|
ssh | Primary movement command. |
scp | File transfer. |
rsync -e ssh | Bulk transfer. |
ssh -i | Explicit key use. |
sshpass | Password automation. |
ProxyCommand | Pivot indicator. |
ProxyJump | Advanced SSH pivoting. |
Analyst Notes
| Scenario | Interpretation |
|---|---|
| SSH to internal host after foothold | Strong lateral movement. |
| known_hosts updated but no history | History tampering possible. |
| Same key reused widely | Credential spread likely. |
| SCP before target login | Payload staging pattern. |
| ProxyCommand present | Multi-hop operator movement. |
| Service account SSH | Highly suspicious unless expected. |