SSH Key Generated via ssh-keygen
This rule identifies the creation of SSH keys using the ssh-keygen tool, which is the standard utility for generating SSH keys. Users often create SSH keys for authentication with remote services. However, threat actors can exploit this tool to move laterally across a network or maintain persistence by generating unauthorized SSH keys, granting them SSH access to systems.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/05/31"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/09/23"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule identifies the creation of SSH keys using the ssh-keygen tool, which is the standard utility for generating
11SSH keys. Users often create SSH keys for authentication with remote services. However, threat actors can exploit this
12tool to move laterally across a network or maintain persistence by generating unauthorized SSH keys, granting them SSH
13access to systems.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.file*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "SSH Key Generated via ssh-keygen"
20references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
21risk_score = 21
22rule_id = "7df3cb8b-5c0c-4228-b772-bb6cd619053c"
23severity = "low"
24tags = [
25 "Domain: Endpoint",
26 "OS: Linux",
27 "Use Case: Threat Detection",
28 "Tactic: Lateral Movement",
29 "Tactic: Persistence",
30 "Data Source: Elastic Endgame",
31 "Data Source: Elastic Defend",
32]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and
38process.executable == "/usr/bin/ssh-keygen" and file.path : ("/home/*/.ssh/*", "/root/.ssh/*", "/etc/ssh/*") and
39not file.name : "known_hosts.*"
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1098"
47name = "Account Manipulation"
48reference = "https://attack.mitre.org/techniques/T1098/"
49[[rule.threat.technique.subtechnique]]
50id = "T1098.004"
51name = "SSH Authorized Keys"
52reference = "https://attack.mitre.org/techniques/T1098/004/"
53
54
55
56[rule.threat.tactic]
57id = "TA0003"
58name = "Persistence"
59reference = "https://attack.mitre.org/tactics/TA0003/"
60[[rule.threat]]
61framework = "MITRE ATT&CK"
62[[rule.threat.technique]]
63id = "T1021"
64name = "Remote Services"
65reference = "https://attack.mitre.org/techniques/T1021/"
66[[rule.threat.technique.subtechnique]]
67id = "T1021.004"
68name = "SSH"
69reference = "https://attack.mitre.org/techniques/T1021/004/"
70
71
72[[rule.threat.technique]]
73id = "T1563"
74name = "Remote Service Session Hijacking"
75reference = "https://attack.mitre.org/techniques/T1563/"
76[[rule.threat.technique.subtechnique]]
77id = "T1563.001"
78name = "SSH Hijacking"
79reference = "https://attack.mitre.org/techniques/T1563/001/"
80
81
82
83[rule.threat.tactic]
84id = "TA0008"
85name = "Lateral Movement"
86reference = "https://attack.mitre.org/tactics/TA0008/"
References
Related rules
- Executable Bit Set for Potential Persistence Script
- Potential Linux Backdoor User Account Creation
- Suspicious File Creation in /etc for Persistence
- Process Capability Set via setcap Utility
- Process Spawned from Message-of-the-Day (MOTD)