CB ThreatHunter: How To Search For SSH Sessions on Mac Devices
search cancel

CB ThreatHunter: How To Search For SSH Sessions on Mac Devices

book

Article ID: 287035

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Search for events wherein the macOS device receives incoming SSH traffic from a remote host

Environment

  • CB ThreatHunter PSC Console: All versions
  • CB ThreatHunter PSC Sensor: 3.4.1.7 and higher
  • Apple macOS: All supported versions

Resolution

  1. Navigate to the Investigate page
  2. The search below is one example that will identify the incoming SSH connection (the launchd process must be used when searching for the initial connection) 
    device_name:XXXXXXXX AND process_name:launchd AND netconn_port:22 AND netconn_inbound:true
  1. Results will show the initial incoming connection; further actions taken with the SSH session can be searched for based on this example 
    device_name:XXXXXXXX AND process_name:sshd AND netconn_port:22

Additional Information

  • Incoming SSH connection in macOS are initially handled by the luanchd process
  • Once the session is initialized, it is handed off to the sshd process
Powered by Wolken Software