AN1638: Analytic 1638
SSH login from a remote system (via sshd), followed by user context execution of suspicious binaries or privilege escalation behavior.
Analyst context for executives and security teams
This analytic matters because remote SSH access is often a legitimate administration path, but a successful SSH login followed by suspicious binary execution or privilege-escalation behavior can indicate that an account or access path is being used in a risky way. For leaders, the decision value is validating whether Linux remote access is observable enough to distinguish normal administration from activity that may require incident response.
Executive priority
Prioritize this as a Linux remote-access monitoring and response-readiness question: do security teams have evidence for who logged in over SSH, from where, and what the session did next? The business risk is not the SSH login alone, but the combination of remote access and follow-on execution or privilege escalation that could affect operational continuity, auditability, and incident decision-making.
Technical view
SOC and detection teams should validate correlation between sshd authentication/session events and subsequent process execution under the logged-in user context, especially executions considered suspicious locally or behaviors associated with privilege escalation. Because ATT&CK provides no detection logic, thresholds, tactics, or relationships for this analytic, teams should define environment-specific baselines for administrator activity, service accounts, jump hosts, and expected Linux maintenance workflows.
Likely telemetry
- Linux authentication logs showing SSH login activity via sshd
- Remote source address, destination host, user account, and session timing
- Process creation telemetry for commands and binaries executed after login
- User context and parent-child process relationships tied to the SSH session
- Privilege escalation evidence such as sudo/su activity or other local elevation indicators
Detection direction
- Validate that SSH logins and post-login process execution can be correlated by host, user, time, and session context.
- Tune for sequences where remote SSH login is followed by unusual binaries, unexpected paths, anomalous command execution, or privilege-escalation behavior.
- Account for legitimate administrator, automation, and maintenance activity to reduce false positives.
- Check blind spots such as incomplete Linux process logging, short log retention, NAT or jump-host ambiguity, missing sudo/su records, and systems not forwarding auth logs.
- Because no official detection is provided, treat AN1638 as a detection objective rather than a ready-to-deploy rule.
Mitigation priorities
- Ensure centralized collection and retention of Linux SSH authentication and process execution telemetry.
- Harden and govern SSH access with least privilege, approved administrative paths, and reviewable account ownership.
- Require privileged activity to be auditable, including elevation events and commands run after remote login.
- Use baselines for expected administrative behavior so suspicious post-login execution can be prioritized during triage.
- Confirm incident response playbooks cover SSH account investigation, session scoping, host containment decisions, and credential review.
Analyst notes and limits
AN1638 is a MITRE ATT&CK detection analytic for Linux describing SSH login from a remote system via sshd followed by user-context execution of suspicious binaries or privilege-escalation behavior. No ATT&CK relationships, tactics, or official detection logic were supplied, so this take focuses on defensive validation and telemetry requirements rather than asserting specific adversary procedures.
The supplied object is sparse: Linux is the only platform, tactics are not specified, detection text is not provided, and there are no relationship links to techniques, groups, malware, mitigations, or data components. Local environment context is required to define what counts as suspicious execution or privilege escalation.
Analytic 1638
SSH login from a remote system (via sshd), followed by user context execution of suspicious binaries or privilege escalation behavior.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 217699e66ed5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1638Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.