Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0710: Analytic 0710

Suspicious reuse of SSH agent sockets across multiple users or processes, anomalous access to ~/.ssh/ or /tmp/ssh-* sockets, and abnormal patterns of lateral movement via SSH without new authentication events. Defender view: detect when one process accesses another user's SSH agent or when an existing SSH connection is used to pivot unexpectedly.

EnterpriseAN0710AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because SSH agent sockets can become a quiet path for Linux lateral movement when an existing authenticated SSH session or agent is reused instead of creating a new, obvious login event. For leaders, the decision value is whether the organization can prove it would notice suspicious cross-user or cross-process access to SSH agent sockets, especially in environments where Linux servers support critical operations, administration, or engineering workflows.

Executive priority

Prioritize this as a Linux identity and privileged-access visibility question: if SSH agent reuse is not monitored, incident responders may have weaker evidence for how an intruder moved between systems or users. Security leaders should ask whether Linux endpoint telemetry, SSH logs, and session context are sufficient to distinguish legitimate administrator workflows from unexpected pivots, and whether this evidence supports incident response and audit needs.

Technical view

The supplied ATT&CK analytic focuses on suspicious reuse of SSH agent sockets across multiple users or processes, anomalous access to ~/.ssh/ or /tmp/ssh-* sockets, and lateral SSH activity without corresponding new authentication events. SOC and detection engineering teams should validate whether Linux telemetry can connect process identity, user identity, socket path access, SSH session activity, and authentication events. Because no official detection logic is provided, local baselining is required to separate normal agent forwarding or administrative automation from abnormal cross-user/process access.

Likely telemetry

  • Linux process execution and parent/child process context
  • File and socket access telemetry for ~/.ssh/ and /tmp/ssh-* paths
  • SSH authentication logs and session records
  • User identity, effective user, and privilege context for processes accessing agent sockets
  • Network connection telemetry for SSH activity between Linux hosts

Detection direction

  • Validate that telemetry captures access to SSH agent sockets, not only SSH login success or failure events.
  • Correlate SSH lateral movement patterns with authentication events; investigate SSH connections that appear to occur without new expected authentication activity.
  • Look for one process or user accessing another user's SSH agent socket, especially in /tmp/ssh-* or user .ssh paths.
  • Baseline legitimate SSH agent forwarding, shared administration hosts, automation, and jump-host workflows to reduce false positives.
  • Treat gaps in Linux endpoint audit coverage as a material blind spot because the analytic depends on process, user, socket, and SSH-session correlation.

Mitigation priorities

  • Inventory where SSH agent forwarding and agent sockets are used on Linux systems supporting sensitive administration or operations.
  • Limit unnecessary SSH agent forwarding and cross-user access patterns where business workflows allow.
  • Strengthen privileged-access and Linux administration procedures so expected SSH session behavior is documented and reviewable.
  • Ensure incident response playbooks include collection of SSH logs, process context, socket access evidence, and user/session timelines.
  • Use detection engineering reviews to confirm that Linux endpoint and SSH telemetry are retained long enough to support investigations.
Analyst notes and limits

This is a detection analytic object, not a technique description, and it is Linux-specific in the supplied fields. There are no relationships, tactics, aliases, or official detection implementation details supplied. The practical value is in validating whether existing Linux logging can expose suspicious SSH agent socket reuse and unexpected pivots.

No official detection text, data source list, relationship context, or procedure examples were supplied. This take does not infer active exploitation, attribution, affected products, or guaranteed detectability. Local environment baselines are required because legitimate SSH agent forwarding and administrative automation may resemble suspicious behavior.

Official MITRE ATT&CK definition

Analytic 0710

Suspicious reuse of SSH agent sockets across multiple users or processes, anomalous access to ~/.ssh/ or /tmp/ssh-* sockets, and abnormal patterns of lateral movement via SSH without new authentication events. Defender view: detect when one process accesses another user's SSH agent or when an existing SSH connection is used to pivot unexpectedly.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
53db2f0408cae155...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 53db2f0408ca…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0710
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use