SSH Authorized Keys File Modification
The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/12/22"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key
11authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).
12"""
13from = "now-9m"
14index = ["auditbeat-*", "logs-endpoint.events.*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "SSH Authorized Keys File Modification"
18risk_score = 47
19rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f"
20severity = "medium"
21tags = [
22 "Domain: Endpoint",
23 "OS: Linux",
24 "OS: macOS",
25 "Use Case: Threat Detection",
26 "Tactic: Lateral Movement",
27 "Tactic: Persistence",
28 "Data Source: Elastic Defend",
29]
30timestamp_override = "event.ingested"
31type = "new_terms"
32
33query = '''
34event.category:file and event.type:(change or creation) and
35 file.name:("authorized_keys" or "authorized_keys2" or "/etc/ssh/sshd_config" or "/root/.ssh") and
36 not process.executable:
37 (/Library/Developer/CommandLineTools/usr/bin/git or
38 /usr/local/Cellar/maven/*/libexec/bin/mvn or
39 /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or
40 /usr/bin/vim or
41 /usr/local/Cellar/coreutils/*/bin/gcat or
42 /usr/bin/bsdtar or
43 /usr/bin/nautilus or
44 /usr/bin/scp or
45 /usr/bin/touch or
46 /var/lib/docker/* or
47 /usr/bin/google_guest_agent or
48 /opt/jc/bin/jumpcloud-agent or
49 /opt/puppetlabs/puppet/bin/puppet or
50 /usr/bin/chef-client
51)
52'''
53
54
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1098"
59name = "Account Manipulation"
60reference = "https://attack.mitre.org/techniques/T1098/"
61[[rule.threat.technique.subtechnique]]
62id = "T1098.004"
63name = "SSH Authorized Keys"
64reference = "https://attack.mitre.org/techniques/T1098/004/"
65
66
67
68[rule.threat.tactic]
69id = "TA0003"
70name = "Persistence"
71reference = "https://attack.mitre.org/tactics/TA0003/"
72[[rule.threat]]
73framework = "MITRE ATT&CK"
74[[rule.threat.technique]]
75id = "T1021"
76name = "Remote Services"
77reference = "https://attack.mitre.org/techniques/T1021/"
78[[rule.threat.technique.subtechnique]]
79id = "T1021.004"
80name = "SSH"
81reference = "https://attack.mitre.org/techniques/T1021/004/"
82
83
84[[rule.threat.technique]]
85id = "T1563"
86name = "Remote Service Session Hijacking"
87reference = "https://attack.mitre.org/techniques/T1563/"
88[[rule.threat.technique.subtechnique]]
89id = "T1563.001"
90name = "SSH Hijacking"
91reference = "https://attack.mitre.org/techniques/T1563/001/"
92
93
94
95[rule.threat.tactic]
96id = "TA0008"
97name = "Lateral Movement"
98reference = "https://attack.mitre.org/tactics/TA0008/"
99
100[rule.new_terms]
101field = "new_terms_fields"
102value = ["host.id", "process.executable"]
103[[rule.new_terms.history_window_start]]
104field = "history_window_start"
105value = "now-10d"
Related rules
- Bash Shell Profile Modification
- Modification of OpenSSH Binaries
- Modification of Standard Authentication Module or Configuration
- Attempt to Enable the Root Account
- Attempt to Mount SMB Share via Command Line