Sshd
Overview
Section titled “Overview”Evidence: Sshd
Description: Filter ssh activity events
Category: System
Platform: macos
Short Name: sshd
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”The SSH daemon (sshd) on macOS handles secure shell connections for remote access. It logs all SSH connection attempts, authentication events, session establishments, and disconnections. SSH is commonly used for remote administration and is frequently targeted by attackers.
Data Collected
Section titled “Data Collected”This collector gathers structured data about sshd.
Sshd Data
Section titled “Sshd Data”| Field | Description | Example |
|---|---|---|
Option | Option | Example value |
Value | Value | Example value |
Collection Method
Section titled “Collection Method”This collector uses the macOS ‘log’ command with predicate-based filtering to extract sshd process events over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType=‘Sshd’.
Forensic Value
Section titled “Forensic Value”SSH logs are vital for investigating remote access, lateral movement, brute force attacks, and unauthorized system access. They provide source IP addresses, authentication attempts, connection times, and user accounts used, which are essential for detecting intrusions and tracking attacker movements.