AN0751: Analytic 0751
SSH session from new source IP followed by interactive shell or privilege escalation (e.g., sudo, su) and outbound lateral connection.
Analyst context for executives and security teams
This analytic is about a Linux SSH login from a source IP that has not been seen before, followed by hands-on activity such as an interactive shell, privilege escalation with tools like sudo or su, and then an outbound connection that may indicate movement to another system. For leaders, the value is not the SSH event alone; it is the sequence that can turn a single remote login into a broader incident requiring identity review, host investigation, and containment decisions.
Executive priority
Prioritize this as a validation point for remote access governance and incident readiness on Linux systems. Security leaders should ask whether the organization can prove who connected over SSH, from where, what privilege changes occurred, and whether the same session initiated connections to other internal or external systems. This supports business continuity by helping distinguish legitimate administration from potentially risky post-login activity, and it can provide audit-relevant evidence around privileged access monitoring.
Technical view
For SOC and IR teams, this analytic should be implemented as a sequence-based detection on Linux telemetry: a new SSH source IP, followed by interactive shell activity or privilege escalation indicators, followed by outbound lateral connection behavior. Because no official detection logic is provided, teams should define local baselines for expected administrator source IPs, jump hosts, service accounts, and normal sudo or su usage. The analytic is most useful when SSH authentication, process execution, privilege escalation, and network connection data can be correlated by host, user, session, and time window.
Likely telemetry
- Linux SSH authentication logs showing source IP, user, host, and login outcome
- Linux process execution telemetry for interactive shells and commands such as sudo or su
- Privilege escalation or authentication logs associated with sudo and su activity
- Network connection telemetry from the Linux host showing outbound connections after login
- Asset and identity context for expected administrators, service accounts, jump hosts, and managed Linux servers
Detection direction
- Validate that SSH log sources capture source IP and user context consistently across Linux systems.
- Correlate SSH login events with subsequent shell, sudo, su, and outbound connection activity within a defensible time window.
- Tune for known administrative paths such as approved VPN ranges, bastion hosts, automation accounts, and maintenance windows to reduce false positives.
- Treat 'new source IP' as environment-relative; detections need historical baselines or allowlists to avoid noisy alerts.
- Investigate sequences more aggressively when the destination host is sensitive, the account is privileged, or the outbound connection is unusual for that host or user.
Mitigation priorities
- Establish and maintain approved SSH access paths, including expected source networks, bastion hosts, and administrative identities.
- Ensure Linux systems produce and retain SSH, privilege escalation, process, and network telemetry needed for session reconstruction.
- Apply least-privilege access for Linux administration and review use of sudo or su for privileged accounts.
- Use identity and access reviews to confirm that accounts with SSH access are still required and appropriately governed.
- Create incident response playbooks for suspicious SSH sessions that include account review, host triage, session timeline reconstruction, and lateral connection scoping.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique, and no ATT&CK tactic or relationship context was supplied. The description supports a sequence-focused Linux detection around SSH access, privilege escalation, and outbound connections. Local baselining is essential because new source IPs and privilege escalation commands can be legitimate for administrators.
Official detection content is not provided, and there are no relationships, mitigations, data components, or tactic mappings supplied. This take therefore avoids asserting specific ATT&CK technique coverage, adversary use, impact, or guaranteed detection. Implementation details must be validated against the organization’s Linux logging, endpoint telemetry, identity sources, and network visibility.
Analytic 0751
SSH session from new source IP followed by interactive shell or privilege escalation (e.g., sudo, su) and outbound lateral connection.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0dedd108f9f3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0751Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.