Environment
- CB ThreatHunter PSC Console: All versions
- CB ThreatHunter PSC Sensor: 3.4.1.7 and higher
- Apple macOS: All supported versions
Objective
Search for events wherein the macOS device receives incoming SSH traffic from a remote host
Resolution
- Navigate to the Investigate page
- The search below is one example that will identify the incoming SSH connection (the launchd process must be used when searching for the initial connection)
device_name:XXXXXXXX AND process_name:launchd AND netconn_port:22 AND netconn_inbound:true
- Results will show the initial incoming connection; further actions taken with the SSH session can be searched for based on this example
device_name:XXXXXXXX AND process_name:sshd AND netconn_port:22
Additional Notes
- Incoming SSH connection in macOS are initially handled by the luanchd process
- Once the session is initialized, it is handed off to the sshd process
Related Content
#EnterpriseEDR#CarbonBlackCloud