SSH Authorized Keys File Modified Inside a Container
This rule detects the creation or modification of an authorized_keys or sshd_config file inside a container. The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). Unexpected and unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/05/12"
3integration = ["cloud_defend"]
4maturity = "production"
5min_stack_comments = "New Integration: Cloud Defend"
6min_stack_version = "8.8.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects the creation or modification of an authorized_keys or sshd_config file inside a container.
13The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication.
14Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).
15Unexpected and unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated.
16"""
17from = "now-6m"
18index = ["logs-cloud_defend*"]
19interval = "5m"
20language = "eql"
21license = "Elastic License v2"
22name = "SSH Authorized Keys File Modified Inside a Container"
23risk_score = 73
24rule_id = "f7769104-e8f9-4931-94a2-68fc04eadec3"
25severity = "high"
26tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Lateral Movement"]
27timestamp_override = "event.ingested"
28type = "eql"
29
30query = '''
31file where container.id:"*" and
32 event.type in ("change", "creation") and file.name: ("authorized_keys", "authorized_keys2", "sshd_config")
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1098"
40name = "Account Manipulation"
41reference = "https://attack.mitre.org/techniques/T1098/"
42[[rule.threat.technique.subtechnique]]
43id = "T1098.004"
44name = "SSH Authorized Keys"
45reference = "https://attack.mitre.org/techniques/T1098/004/"
46
47[rule.threat.tactic]
48id = "TA0003"
49name = "Persistence"
50reference = "https://attack.mitre.org/tactics/TA0003/"
51
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1563"
58name = "Remote Service Session Hijacking"
59reference = "https://attack.mitre.org/techniques/T1563/"
60[[rule.threat.technique.subtechnique]]
61id = "T1563.001"
62name = "SSH Hijacking"
63reference = "https://attack.mitre.org/techniques/T1563/001/"
64
65[[rule.threat.technique]]
66id = "T1021"
67name = "Remote Services"
68reference = "https://attack.mitre.org/techniques/T1021/"
69[[rule.threat.technique.subtechnique]]
70id = "T1021.004"
71name = "SSH"
72reference = "https://attack.mitre.org/techniques/T1021/004/"
73
74[rule.threat.tactic]
75id = "TA0008"
76name = "Lateral Movement"
77reference = "https://attack.mitre.org/tactics/TA0008/"
Related rules
- SSH Process Launched From Inside A Container
- SSH Connection Established Inside A Running Container
- Container Management Utility Run Inside A Container
- File Made Executable via Chmod Inside A Container
- Interactive Exec Command Launched Against A Running Container