Tracking SSH logins via process activity

Because major macOS intrusions often use the SSH service, here at Jamf Protect we’ve been researching the ways in which we can use the Jamf Protect agent to best detect malicious SSH logins and bring them to the attention of those who need to know.

December 21 2020 by

Jaron Bradley

Jamf Protect can help Mac admins detect malicious SSH actions.

Using the Jamf Protect agent to monitor SSH actions

In a recent post over at I discussed the different ways in which we can monitor different actions happening over SSH. Here at Jamf Protect we’ve been researching the ways in which we can use the Jamf Protect agent to best detect some of these different activities and bring them to the attention of those who need to know. SSH is an incredibly handy tool for administrators managing employee systems, developers managing virtual machines, engineers managing build servers, and so much more. On the other hand, nearly all of the major macOS intrusions I’ve analyzed over the years have had the SSH service play a role in one way or another. This is because it’s a tool that’s built in to macOS that allows for remote access to other systems so long as:

  1. Remote Logins are enabled on the system
  2. Accurate Credentials are provided

In the interest of providing better visibility to customers, we wanted to take a bit of time to discuss how the detection of various SSH activities can be performed using Jamf Protect, endpoint security for Mac. Of course analytics for all of these are provided in Jamf Protect today.

Analytic One → SSH Login

As described in the aforementioned blog post, it is possible to detect SSH logins by monitoring for specific process activity. Normally, for such a log event we would recommend using Apple’s Unified Log. However, when an SSH login occurs, the default logging level does not actually generate any log events. To solve this issue, instead of using the Unified Log, we will look at processes instead.

Standard process tree: Computer —> launchd —> ssh-keygen-wrapper —> sshd —> zsh

The above image is what the standard process tree looks like when an SSH login occurs. The SSH Login analytic will fire a log event anytime the sshd process creates an interactive shell.

Analytic Two → SSH Root Login

Using SSH to access a system as the root user is not considered best practice. Instead, users should be accessing the system with basic permissions and escalating once they are on it. This is why we have also created an analytic that will look for anytime an SSH login occurs where the successfully logged on user was the root user. This should help security teams both respond to bad practice as well as pickup potential malicious activity. It is not uncommon for attackers to modify an SSH server to allow for the root user to log directly in. This could be by modifying the SSH configuration or by modifying the system to run a backdoor’ed version of SSH.

To pickup this activity with Jamf Protect, we simply perform the same detection as above, however, we’ll look specifically for when the shell created by ssh has a uid of 0. This uid is reserved on most Unix systems for the root user.

Computer —> launchd —> ssh-keygen-wrapper —> sshd —> zsh did: 0

Analytic Three → SSH Enabled via Command Line

Finally for something a little simpler, it also makes good sense to monitor for any time when SSH activity is enabled from the command line. The most common way to do this on macOS is to use the systemsetup setup command as follows.

 sudo systemsetup -setremotelogin on 

Root permissions are required to do this which at least ensures an attacker would have to find a way to escalate privileges before being able to turn on SSH when it’s currently disabled. This is yet another simple command to detect via Jamf Protect and so we have enabled it as a visibility log item.

Jamf Protect helps provide visibility into suspicious SSH behavior

SSH is used by attackers for initial entry to networks as well as to move laterally through them. Knowing the systems that are receiving remote logins in your environment is important. SSH is often used heavily in development environments and automation environments so it can be tricky to pick out what is anomalous and what is normal. Over time as you learn what normal SSH activity looks like in your environment it should be come easier to pick up on what looks suspicious and we’re here at Jamf Protect to help provide you with visibility into that.

Protect your Apple devices: request a free Jamf Protect trial today.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.