SSH Authorized Keys File Modification

calendar Sep 5, 2023 · Domain: Endpoint OS: Linux OS: macOS Use Case: Threat Detection Tactic: Lateral Movement Tactic: Persistence Data Source: Elastic Defend  ·
Share on: linkedin copy

The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/12/22"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key
13authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).
14"""
15from = "now-9m"
16index = ["auditbeat-*", "logs-endpoint.events.*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "SSH Authorized Keys File Modification"
20risk_score = 47
21rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f"
22severity = "medium"
23tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Defend"]
24timestamp_override = "event.ingested"
25type = "query"
26
27query = '''
28event.category:file and event.type:(change or creation) and
29 file.name:("authorized_keys" or "authorized_keys2" or "/etc/ssh/sshd_config" or "/root/.ssh") and
30 not process.executable:
31             (/Library/Developer/CommandLineTools/usr/bin/git or
32              /usr/local/Cellar/maven/*/libexec/bin/mvn or
33              /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or
34              /usr/bin/vim or
35              /usr/local/Cellar/coreutils/*/bin/gcat or
36              /usr/bin/bsdtar or
37              /usr/bin/nautilus or
38              /usr/bin/scp or
39              /usr/bin/touch or
40              /var/lib/docker/* or
41              /usr/bin/google_guest_agent or 
42              /opt/jc/bin/jumpcloud-agent)
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1098"
50name = "Account Manipulation"
51reference = "https://attack.mitre.org/techniques/T1098/"
52[[rule.threat.technique.subtechnique]]
53id = "T1098.004"
54name = "SSH Authorized Keys"
55reference = "https://attack.mitre.org/techniques/T1098/004/"
56
57[rule.threat.tactic]
58id = "TA0003"
59name = "Persistence"
60reference = "https://attack.mitre.org/tactics/TA0003/"
61
62
63
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66[[rule.threat.technique]]
67id = "T1563"
68name = "Remote Service Session Hijacking"
69reference = "https://attack.mitre.org/techniques/T1563/"
70[[rule.threat.technique.subtechnique]]
71id = "T1563.001"
72name = "SSH Hijacking"
73reference = "https://attack.mitre.org/techniques/T1563/001/"
74
75[[rule.threat.technique]]
76id = "T1021"
77name = "Remote Services"
78reference = "https://attack.mitre.org/techniques/T1021/"
79[[rule.threat.technique.subtechnique]]
80id = "T1021.004"
81name = "SSH"
82reference = "https://attack.mitre.org/techniques/T1021/004/"
83
84[rule.threat.tactic]
85id = "TA0008"
86name = "Lateral Movement"
87reference = "https://attack.mitre.org/tactics/TA0008/"

Related rules

to-top