SSH Authorized Keys File Modification
The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/12/22"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
6min_stack_version = "8.6.0"
7updated_date = "2024/02/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key
13authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).
14"""
15from = "now-9m"
16index = ["auditbeat-*", "logs-endpoint.events.*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "SSH Authorized Keys File Modification"
20risk_score = 47
21rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f"
22severity = "medium"
23tags = ["Domain: Endpoint",
24 "OS: Linux",
25 "OS: macOS",
26 "Use Case: Threat Detection",
27 "Tactic: Lateral Movement",
28 "Tactic: Persistence",
29 "Data Source: Elastic Defend"
30 ]
31timestamp_override = "event.ingested"
32type = "new_terms"
33query = '''
34event.category:file and event.type:(change or creation) and
35 file.name:("authorized_keys" or "authorized_keys2" or "/etc/ssh/sshd_config" or "/root/.ssh") and
36 not process.executable:
37 (/Library/Developer/CommandLineTools/usr/bin/git or
38 /usr/local/Cellar/maven/*/libexec/bin/mvn or
39 /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or
40 /usr/bin/vim or
41 /usr/local/Cellar/coreutils/*/bin/gcat or
42 /usr/bin/bsdtar or
43 /usr/bin/nautilus or
44 /usr/bin/scp or
45 /usr/bin/touch or
46 /var/lib/docker/* or
47 /usr/bin/google_guest_agent or
48 /opt/jc/bin/jumpcloud-agent or
49 /opt/puppetlabs/puppet/bin/puppet or
50 /usr/bin/chef-client
51)
52'''
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56
57[[rule.threat.technique]]
58id = "T1098"
59name = "Account Manipulation"
60reference = "https://attack.mitre.org/techniques/T1098/"
61
62[[rule.threat.technique.subtechnique]]
63id = "T1098.004"
64name = "SSH Authorized Keys"
65reference = "https://attack.mitre.org/techniques/T1098/004/"
66
67[rule.threat.tactic]
68id = "TA0003"
69name = "Persistence"
70reference = "https://attack.mitre.org/tactics/TA0003/"
71
72[[rule.threat]]
73framework = "MITRE ATT&CK"
74
75[[rule.threat.technique]]
76id = "T1563"
77name = "Remote Service Session Hijacking"
78reference = "https://attack.mitre.org/techniques/T1563/"
79
80[[rule.threat.technique.subtechnique]]
81id = "T1563.001"
82name = "SSH Hijacking"
83reference = "https://attack.mitre.org/techniques/T1563/001/"
84
85[[rule.threat.technique]]
86id = "T1021"
87name = "Remote Services"
88reference = "https://attack.mitre.org/techniques/T1021/"
89
90[[rule.threat.technique.subtechnique]]
91id = "T1021.004"
92name = "SSH"
93reference = "https://attack.mitre.org/techniques/T1021/004/"
94
95[rule.threat.tactic]
96id = "TA0008"
97name = "Lateral Movement"
98reference = "https://attack.mitre.org/tactics/TA0008/"
99
100[rule.new_terms]
101field = "new_terms_fields"
102value = ["host.id", "process.executable"]
103
104[[rule.new_terms.history_window_start]]
105field = "history_window_start"
106value = "now-10d"
Related rules
- Bash Shell Profile Modification
- Modification of Standard Authentication Module or Configuration
- Potential Persistence Through Systemd-udevd
- Potential Suspicious File Edit
- Sudo Heap-Based Buffer Overflow Attempt