Potential Redis CONFIG SET SSH Authorized Key Injection

  1[metadata]
  2creation_date = "2026/06/11"
  3integration = ["network_traffic"]
  4maturity = "production"
  5updated_date = "2026/06/11"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects attempts to abuse Redis CONFIG SET commands to inject SSH authorized keys on Linux hosts.
 11Attackers targeting unauthenticated Redis instances issue CONFIG SET dir to an SSH directory such as
 12/root/.ssh, set the filename to authorized_keys via CONFIG SET dbfilename, write an attacker-controlled
 13public key via SET, and call BGSAVE to flush it to disk, establishing persistent SSH access as root.
 14"""
 15from = "now-9m"
 16index = ["logs-network_traffic.redis*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Potential Redis CONFIG SET SSH Authorized Key Injection"
 20note = """## Triage and analysis
 21
 22### Investigating Potential Redis CONFIG SET SSH Authorized Key Injection
 23
 24Redis's CONFIG SET command allows runtime reconfiguration of the server, including the working directory (`dir`) and database filename (`dbfilename`). Attackers targeting unauthenticated Redis instances exploit this to redirect BGSAVE output into `/root/.ssh/authorized_keys`, injecting their own SSH public key and establishing persistent root shell access without credentials.
 25
 26The full attack chain is:
 271. `CONFIG SET dir /root/.ssh` — redirects the save path to the SSH directory
 282. `CONFIG SET dbfilename authorized_keys` — sets the output filename
 293. `SET key "\n\nssh-rsa ATTACKER_KEY\n\n"` — writes the public key with surrounding newlines
 304. `BGSAVE` — flushes the in-memory dataset (including the injected key) to disk
 31
 32A related variant targets cron persistence (`CONFIG SET dir /etc/cron.d`) for cryptominer deployment, as used by the RedisRaider campaign.
 33
 34### Possible investigation steps
 35
 36- Identify the source IP and determine whether it is an expected Redis client or an external/unknown address. Any external IP issuing CONFIG SET to an SSH directory should be treated as malicious.
 37- Check whether the destination Redis instance requires authentication (`requirepass` or ACL). Unauthenticated instances are the prerequisite for this attack.
 38- Review subsequent Redis commands from the same source IP for `SET` (key write) and `BGSAVE` (flush to disk), which complete the injection chain.
 39- Examine `/root/.ssh/authorized_keys` and other user SSH directories on the Redis host for unexpected or recently modified entries at or after the alert time.
 40- Check SSH login events on the Redis host for successful logins from unknown keys or source IPs shortly after the alert.
 41- Review outbound connections from the Redis host for lateral movement or C2 activity following a successful key injection.
 42
 43### False positive analysis
 44
 45- `CONFIG SET dir` is a legitimate administrative command, but pointing it to any `/.ssh` directory has no legitimate use case. A match on this pattern has an extremely low false positive rate.
 46- `CONFIG SET dbfilename authorized_keys` has no legitimate operational use. Any match should be investigated immediately.
 47- Automated deployment tooling (Ansible, Chef, Puppet) will never target SSH directories via Redis CONFIG SET — this combination is exclusively malicious.
 48
 49### Response and remediation
 50
 51- Immediately inspect `/root/.ssh/authorized_keys` and all user `~/.ssh/authorized_keys` files on the Redis host for unauthorized entries and remove them.
 52- Rotate SSH host keys and audit all active SSH sessions on the affected host.
 53- Require authentication on all Redis instances (`requirepass` or ACL). Unauthenticated Redis reachable from any network is the root cause.
 54- Restrict `CONFIG SET` permissions using Redis ACLs: `ACL SETUSER <user> -config`.
 55- Block inbound access to Redis port 6379 from untrusted networks at the host firewall or perimeter.
 56- Consider enabling Redis's protected mode, which rejects connections from non-loopback addresses when no authentication is configured.
 57"""
 58references = [
 59    "https://redis.io/docs/latest/operate/oss_and_stack/management/security/",
 60    "https://attack.mitre.org/techniques/T1098/004/",
 61    "https://attack.mitre.org/techniques/T1190/",
 62]
 63risk_score = 73
 64rule_id = "39ab0f66-efa0-4649-9c9c-8c64682f5fdd"
 65setup = """## Setup
 66
 67This rule requires the Elastic **network_traffic** integration (Packetbeat via Elastic Agent) with the Redis
 68protocol module enabled.
 69
 70### Enabling the Redis module
 71
 72In the Elastic Agent `network_traffic` integration policy:
 731. Add or confirm **Redis** in the protocols list with `enabled: true`.
 742. Set **ports** to include `6379` (or the custom port your Redis instances listen on).
 753. Deploy the sensor on the Redis host, on a SPAN/mirror port, or on a gateway that receives Redis traffic.
 76
 77### TLS limitation
 78
 79This rule requires unencrypted Redis traffic. Redis uses plaintext by default (port 6379). If TLS is configured,
 80Packetbeat cannot inspect the payload without TLS decryption.
 81"""
 82severity = "high"
 83tags = [
 84    "Domain: Network",
 85    "Use Case: Threat Detection",
 86    "Tactic: Persistence",
 87    "Tactic: Initial Access",
 88    "Data Source: Network Packet Capture",
 89    "Resources: Investigation Guide",
 90]
 91timestamp_override = "event.ingested"
 92type = "eql"
 93
 94query = '''
 95network where data_stream.dataset == "network_traffic.redis" and
 96  (
 97    (
 98      network_traffic.redis.query like~ "*CONFIG SET dir*" and
 99      network_traffic.redis.query like~ "*/.ssh*"
100    ) or
101    (
102      network_traffic.redis.query like~ "*CONFIG SET dbfilename*" and
103      network_traffic.redis.query like~ "*authorized_keys*"
104    )
105  )
106'''
107
108
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111[[rule.threat.technique]]
112id = "T1098"
113name = "Account Manipulation"
114reference = "https://attack.mitre.org/techniques/T1098/"
115[[rule.threat.technique.subtechnique]]
116id = "T1098.004"
117name = "SSH Authorized Keys"
118reference = "https://attack.mitre.org/techniques/T1098/004/"
119
120[rule.threat.tactic]
121id = "TA0003"
122name = "Persistence"
123reference = "https://attack.mitre.org/tactics/TA0003/"
124
125[[rule.threat]]
126framework = "MITRE ATT&CK"
127[[rule.threat.technique]]
128id = "T1190"
129name = "Exploit Public-Facing Application"
130reference = "https://attack.mitre.org/techniques/T1190/"
131
132[rule.threat.tactic]
133id = "TA0001"
134name = "Initial Access"
135reference = "https://attack.mitre.org/tactics/TA0001/"