AN0711: Analytic 0711
Unusual access to SSH agent sockets in /tmp/ or /private/tmp, process access to another user’s $SSH_AUTH_SOCK, and lateral SSH activity without corresponding login events. Defender view: correlation of socket access with anomalous network flows to internal systems.
Analyst context for executives and security teams
This analytic matters because SSH agent sockets can represent delegated access to systems without exposing a private key directly. On macOS, unusual access to SSH agent sockets in /tmp/ or /private/tmp, access to another user’s SSH_AUTH_SOCK, or SSH activity that lacks matching login evidence can indicate that identity-based access paths need closer investigation. For leaders, the practical issue is whether the organization can prove who used SSH access, from where, and whether that use aligns with expected administrative activity.
Executive priority
Prioritize this where macOS users or administrators use SSH to reach internal systems. The decision value is identity assurance and incident readiness: confirm that SOC and IR teams can correlate local socket access with internal SSH network flows and login records. If that evidence is missing, investigations may struggle to distinguish legitimate administrator workflows from suspicious lateral access using an existing SSH agent session.
Technical view
Validate whether macOS endpoint telemetry can show process access to SSH agent sockets under /tmp/ or /private/tmp and whether the accessing process/user differs from the socket owner or expected SSH_AUTH_SOCK context. Correlate those events with network flows to internal systems and available SSH login records. The key analytic pattern from the ATT&CK object is not socket access alone, but unusual socket access plus lateral SSH activity without corresponding login events.
Likely telemetry
- macOS endpoint process activity
- File or socket access events for /tmp/ and /private/tmp
- Environment variable context for SSH_AUTH_SOCK where available
- User/session ownership context
- Network flow records for SSH connections to internal systems
Detection direction
- Baseline legitimate macOS SSH agent usage by administrators, developers, automation, and management tools before alerting broadly.
- Look for process access to another user’s SSH_AUTH_SOCK or SSH agent sockets in temporary directories.
- Correlate local socket access with outbound SSH network flows to internal systems.
- Investigate SSH activity that lacks corresponding login events or does not match expected user/session context.
- Tune for false positives from legitimate terminal multiplexers, remote administration workflows, developer tooling, and automation that may interact with SSH agents.
Mitigation priorities
- Inventory where macOS SSH agent use is expected and which roles depend on it.
- Limit unnecessary shared or multi-user access patterns that could expose another user’s SSH_AUTH_SOCK context.
- Strengthen logging for macOS process activity, socket/file access in temporary paths, SSH network flows, and destination login records.
- Use least-privilege access and clear administrative workflows so anomalous SSH agent use has meaningful context.
- Ensure incident response playbooks include validation of SSH agent socket ownership, related processes, network destinations, and login evidence.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for macOS focused on unusual SSH agent socket access and correlation with internal SSH activity. No tactic, relationship context, or official detection logic was supplied, so this take emphasizes validation questions and telemetry requirements rather than a specific rule.
Official detection content and relationships were not provided. This summary does not establish active exploitation, attribution, impact, or guaranteed detection coverage. Local baselines, endpoint visibility, SSH logging, and network telemetry determine whether this analytic is actionable in a specific environment.
Analytic 0711
Unusual access to SSH agent sockets in /tmp/ or /private/tmp, process access to another user’s $SSH_AUTH_SOCK, and lateral SSH activity without corresponding login events. Defender view: correlation of socket access with anomalous network flows to internal systems.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a0d6771e52af… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0711Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.