[New Rule] Potential SSH Hijacking

## Description

This rule detects the use of the SSH_AUTH_SOCK environment variable in a process command-line to hijack a user's existing SSH session in order to move laterally without requiring the user's authentication material. Threat actors will abuse this technique in order to silently move laterally and access additional resources.

### Target Operating Systems

Linux, macOS

### Tested ECS Version
1.11.0

### Query
```sql
process where event.type == "start" and event.action == "exec" and process.name : ("sudo", "ssh", "bash", "sh", "zsh", "csh") and process.args : "SSH_AUTH_SOCK=*" and not process.parent.name : "vault"
```

### References
https://embracethered.com/blog/posts/2022/ttp-diaries-ssh-agent-hijacking/

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[New Rule] Potential SSH Hijacking #2364

Description

Target Operating Systems

Tested ECS Version

Query

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[New Rule] Potential SSH Hijacking #2364

Description

Description

Target Operating Systems

Tested ECS Version

Query

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions