DET0596: Behavioral Detection of Remote SSH Logins Followed by Post-Login Execution
DET0596 is a detection strategy for spotting remote SSH logins that are followed by execution activity. Its business value is in validating whether defende...
Analyst context for executives and security teams
DET0596 is a detection strategy for spotting remote SSH logins that are followed by execution activity. Its business value is in validating whether defenders can recognize potentially unauthorized use of valid accounts over SSH before lateral movement becomes a broader operational incident.
Executive priority
Prioritize this as an identity, server, and incident-response readiness question: can the organization prove who used SSH, from where, to which systems, and what happened immediately after login? The related ATT&CK technique is SSH under lateral movement, with relevance to ESXi, Linux, and macOS environments. This makes the strategy important for resilience planning, privileged access review, SOC evidence quality, and auditability of administrative access.
Technical view
The supplied object has no official description, detection logic, platforms, or tactics of its own. Its relationship indicates it detects T1021.004 SSH, a lateral-movement technique where adversaries may use valid accounts to log into remote machines and act as the logged-on user. SOC and detection teams should validate correlation between remote SSH authentication/session events and subsequent post-login execution on the destination host, especially where SSH is enabled on ESXi, Linux, or macOS systems.
Likely telemetry
- SSH authentication success and failure logs
- SSH session start, end, source address, destination host, and username records
- Host process execution or command audit telemetry after SSH login
- Privileged account and valid-account usage records
- Asset inventory identifying ESXi, Linux, and macOS systems where SSH is enabled
Detection direction
- Validate that SSH login events can be joined to post-login execution on the same destination host and user within a defensible time window.
- Tune for administrative baselines: routine automation, configuration management, backup jobs, and known administrator maintenance may look similar without context.
- Prioritize unusual source-to-destination pairs, unexpected accounts, first-seen SSH usage, or execution activity inconsistent with the account’s normal role.
- Check blind spots where SSH is enabled but host command/process telemetry is absent, local logs are not forwarded, or ESXi/Linux/macOS assets are missing from inventory.
- Use the relationship to T1021.004 as context for lateral-movement investigations rather than treating every SSH session as malicious.
Mitigation priorities
- Confirm which ESXi, Linux, and macOS systems permit SSH and whether that access is required.
- Review valid-account governance for SSH users, especially privileged and shared administrative access.
- Ensure centralized logging for SSH authentication/session activity and post-login execution evidence.
- Strengthen incident-response playbooks so analysts can quickly determine whether an SSH login was authorized and what actions followed.
- Use detection validation results to guide access reduction, monitoring improvements, and compliance evidence for administrative access controls.
Analyst notes and limits
This take is based on the detection strategy name, its MITRE external reference, and the explicit relationship to ATT&CK technique T1021.004 SSH. Because ATT&CK provides no official detection text for this object, local engineering decisions must define thresholds, correlation windows, and allowlists.
The detection strategy object does not specify platforms, tactics, description, or detection logic. Platform and tactic context comes only from the related SSH technique. No claim is made about active exploitation, attribution, or guaranteed detection coverage.
Behavioral Detection of Remote SSH Logins Followed by Post-Login Execution
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 58a99a614ec6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0596Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.