SSH Key Generated via ssh-keygen

calendar Jul 8, 2024 · Domain: Endpoint OS: Linux Use Case: Threat Detection Tactic: Lateral Movement Tactic: Persistence Data Source: Elastic Endgame Data Source: Elastic Defend  ·
Share on: linkedin copy

This rule identifies the creation of SSH keys using the ssh-keygen tool, which is the standard utility for generating SSH keys. Users often create SSH keys for authentication with remote services. However, threat actors can exploit this tool to move laterally across a network or maintain persistence by generating unauthorized SSH keys, granting them SSH access to systems.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/05/31"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/07/08"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule identifies the creation of SSH keys using the ssh-keygen tool, which is the standard utility for generating
11SSH keys. Users often create SSH keys for authentication with remote services. However, threat actors can exploit this
12tool to move laterally across a network or maintain persistence by generating unauthorized SSH keys, granting them SSH
13access to systems.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.file*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "SSH Key Generated via ssh-keygen"
20risk_score = 21
21rule_id = "7df3cb8b-5c0c-4228-b772-bb6cd619053c"
22severity = "low"
23tags = [
24    "Domain: Endpoint",
25    "OS: Linux",
26    "Use Case: Threat Detection",
27    "Tactic: Lateral Movement",
28    "Tactic: Persistence",
29    "Data Source: Elastic Endgame",
30    "Data Source: Elastic Defend",
31]
32timestamp_override = "event.ingested"
33type = "eql"
34query = '''
35file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and
36process.executable == "/usr/bin/ssh-keygen" and file.path : ("/home/*/.ssh/*", "/root/.ssh/*", "/etc/ssh/*") and
37not file.name : "known_hosts.*"
38'''
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42
43[[rule.threat.technique]]
44id = "T1098"
45name = "Account Manipulation"
46reference = "https://attack.mitre.org/techniques/T1098/"
47
48[[rule.threat.technique.subtechnique]]
49id = "T1098.004"
50name = "SSH Authorized Keys"
51reference = "https://attack.mitre.org/techniques/T1098/004/"
52
53[rule.threat.tactic]
54id = "TA0003"
55name = "Persistence"
56reference = "https://attack.mitre.org/tactics/TA0003/"
57
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60
61[[rule.threat.technique]]
62id = "T1021"
63name = "Remote Services"
64reference = "https://attack.mitre.org/techniques/T1021/"
65
66[[rule.threat.technique.subtechnique]]
67id = "T1021.004"
68name = "SSH"
69reference = "https://attack.mitre.org/techniques/T1021/004/"
70
71[[rule.threat.technique]]
72id = "T1563"
73name = "Remote Service Session Hijacking"
74reference = "https://attack.mitre.org/techniques/T1563/"
75
76[[rule.threat.technique.subtechnique]]
77id = "T1563.001"
78name = "SSH Hijacking"
79reference = "https://attack.mitre.org/techniques/T1563/001/"
80
81[rule.threat.tactic]
82id = "TA0008"
83name = "Lateral Movement"
84reference = "https://attack.mitre.org/tactics/TA0008/"

Related rules

to-top