SSH Authorized Keys File Modified Inside a Container
This rule detects the creation or modification of an authorized_keys or sshd_config file inside a container. The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). Unexpected and unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/05/12"
3integration = ["cloud_defend"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects the creation or modification of an authorized_keys or sshd_config file inside a container. The Secure
11Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication.
12Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). Unexpected and
13unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated.
14"""
15from = "now-6m"
16index = ["logs-cloud_defend*"]
17interval = "5m"
18language = "eql"
19license = "Elastic License v2"
20name = "SSH Authorized Keys File Modified Inside a Container"
21risk_score = 73
22rule_id = "f7769104-e8f9-4931-94a2-68fc04eadec3"
23severity = "high"
24tags = [
25 "Data Source: Elastic Defend for Containers",
26 "Domain: Container",
27 "OS: Linux",
28 "Use Case: Threat Detection",
29 "Tactic: Persistence",
30 "Tactic: Lateral Movement",
31]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36file where container.id:"*" and
37 event.type in ("change", "creation") and file.name: ("authorized_keys", "authorized_keys2", "sshd_config")
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1098"
45name = "Account Manipulation"
46reference = "https://attack.mitre.org/techniques/T1098/"
47[[rule.threat.technique.subtechnique]]
48id = "T1098.004"
49name = "SSH Authorized Keys"
50reference = "https://attack.mitre.org/techniques/T1098/004/"
51
52
53
54[rule.threat.tactic]
55id = "TA0003"
56name = "Persistence"
57reference = "https://attack.mitre.org/tactics/TA0003/"
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60[[rule.threat.technique]]
61id = "T1021"
62name = "Remote Services"
63reference = "https://attack.mitre.org/techniques/T1021/"
64[[rule.threat.technique.subtechnique]]
65id = "T1021.004"
66name = "SSH"
67reference = "https://attack.mitre.org/techniques/T1021/004/"
68
69
70[[rule.threat.technique]]
71id = "T1563"
72name = "Remote Service Session Hijacking"
73reference = "https://attack.mitre.org/techniques/T1563/"
74[[rule.threat.technique.subtechnique]]
75id = "T1563.001"
76name = "SSH Hijacking"
77reference = "https://attack.mitre.org/techniques/T1563/001/"
78
79
80
81[rule.threat.tactic]
82id = "TA0008"
83name = "Lateral Movement"
84reference = "https://attack.mitre.org/tactics/TA0008/"
Related rules
- SSH Process Launched From Inside A Container
- SSH Connection Established Inside A Running Container
- AWS Credentials Searched For Inside A Container
- Container Management Utility Run Inside A Container
- File Made Executable via Chmod Inside A Container