SSH Authorized Keys File Modification

calendar May 22, 2024 · Domain: Endpoint OS: Linux OS: macOS Use Case: Threat Detection Tactic: Lateral Movement Tactic: Persistence Data Source: Elastic Defend  ·
Share on: linkedin copy

The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/12/22"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2024/05/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key
 11authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).
 12"""
 13from = "now-9m"
 14index = ["auditbeat-*", "logs-endpoint.events.*"]
 15language = "kuery"
 16license = "Elastic License v2"
 17name = "SSH Authorized Keys File Modification"
 18risk_score = 47
 19rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f"
 20severity = "medium"
 21tags = [
 22    "Domain: Endpoint",
 23    "OS: Linux",
 24    "OS: macOS",
 25    "Use Case: Threat Detection",
 26    "Tactic: Lateral Movement",
 27    "Tactic: Persistence",
 28    "Data Source: Elastic Defend",
 29]
 30timestamp_override = "event.ingested"
 31type = "new_terms"
 32
 33query = '''
 34event.category:file and event.type:(change or creation) and
 35 file.name:("authorized_keys" or "authorized_keys2" or "/etc/ssh/sshd_config" or "/root/.ssh") and
 36 not process.executable:
 37             (/Library/Developer/CommandLineTools/usr/bin/git or
 38              /usr/local/Cellar/maven/*/libexec/bin/mvn or
 39              /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or
 40              /usr/bin/vim or
 41              /usr/local/Cellar/coreutils/*/bin/gcat or
 42              /usr/bin/bsdtar or
 43              /usr/bin/nautilus or
 44              /usr/bin/scp or
 45              /usr/bin/touch or
 46              /var/lib/docker/* or
 47              /usr/bin/google_guest_agent or 
 48              /opt/jc/bin/jumpcloud-agent or 
 49              /opt/puppetlabs/puppet/bin/puppet or
 50              /usr/bin/chef-client
 51)
 52'''
 53
 54
 55[[rule.threat]]
 56framework = "MITRE ATT&CK"
 57[[rule.threat.technique]]
 58id = "T1098"
 59name = "Account Manipulation"
 60reference = "https://attack.mitre.org/techniques/T1098/"
 61[[rule.threat.technique.subtechnique]]
 62id = "T1098.004"
 63name = "SSH Authorized Keys"
 64reference = "https://attack.mitre.org/techniques/T1098/004/"
 65
 66
 67
 68[rule.threat.tactic]
 69id = "TA0003"
 70name = "Persistence"
 71reference = "https://attack.mitre.org/tactics/TA0003/"
 72[[rule.threat]]
 73framework = "MITRE ATT&CK"
 74[[rule.threat.technique]]
 75id = "T1021"
 76name = "Remote Services"
 77reference = "https://attack.mitre.org/techniques/T1021/"
 78[[rule.threat.technique.subtechnique]]
 79id = "T1021.004"
 80name = "SSH"
 81reference = "https://attack.mitre.org/techniques/T1021/004/"
 82
 83
 84[[rule.threat.technique]]
 85id = "T1563"
 86name = "Remote Service Session Hijacking"
 87reference = "https://attack.mitre.org/techniques/T1563/"
 88[[rule.threat.technique.subtechnique]]
 89id = "T1563.001"
 90name = "SSH Hijacking"
 91reference = "https://attack.mitre.org/techniques/T1563/001/"
 92
 93
 94
 95[rule.threat.tactic]
 96id = "TA0008"
 97name = "Lateral Movement"
 98reference = "https://attack.mitre.org/tactics/TA0008/"
 99
100[rule.new_terms]
101field = "new_terms_fields"
102value = ["host.id", "process.executable"]
103[[rule.new_terms.history_window_start]]
104field = "history_window_start"
105value = "now-10d"

Related rules

to-top