SSHD

Overview

Evidence: Sshd Description: Filter ssh activity events Category: System Platform: macos Short Name: sshd Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

The SSH daemon (sshd) on macOS handles secure shell connections for remote access. It logs all SSH connection attempts, authentication events, session establishments, and disconnections. SSH is commonly used for remote administration and is frequently targeted by attackers.

Data Collected

This collector gathers structured data about sshd.

Sshd Data

Collection Method

This collector uses the macOS 'log' command with predicate-based filtering to extract sshd process events over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType='Sshd'.

Forensic Value

SSH logs are vital for investigating remote access, lateral movement, brute force attacks, and unauthorized system access. They provide source IP addresses, authentication attempts, connection times, and user accounts used, which are essential for detecting intrusions and tracking attacker movements.