Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <code><user-home>/.ssh/authorized_keys</code>.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>.
Adversaries may modify SSH <code>authorized_keys</code> files directly with scripts or shell commands to add their own adversary-supplied public keys. This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse) (Citation: Cybereason Linux Exim Worm)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-3 | Access Enforcement | Protects | T1098.004 | SSH Authorized Keys | |
CM-2 | Baseline Configuration | Protects | T1098.004 | SSH Authorized Keys | |
CM-6 | Configuration Settings | Protects | T1098.004 | SSH Authorized Keys | |
CM-7 | Least Functionality | Protects | T1098.004 | SSH Authorized Keys | |
CM-8 | System Component Inventory | Protects | T1098.004 | SSH Authorized Keys | |
RA-5 | Vulnerability Monitoring and Scanning | Protects | T1098.004 | SSH Authorized Keys | |
SC-12 | Cryptographic Key Establishment and Management | Protects | T1098.004 | SSH Authorized Keys | |
SI-3 | Malicious Code Protection | Protects | T1098.004 | SSH Authorized Keys | |
SI-4 | System Monitoring | Protects | T1098.004 | SSH Authorized Keys | |
azure_security_center_recommendations | Azure Security Center Recommendations | technique_scores | T1098.004 | SSH Authorized Keys |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modification of a Kubernetes container's file system which can mitigate this technique. Because this recommendation is specific to Kubernetes containers, its score is Minimal.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | technique_scores | T1098.004 | SSH Authorized Keys |
Comments
This control may alert on addition of new SSH keys to the authorized key file and unusual process access of the authorized key file.
References
|
file_integrity_monitoring | File Integrity Monitoring | technique_scores | T1098.004 | SSH Authorized Keys |
Comments
This control may detect changes to the SSH authorized keys file which may indicate establishment of persistence. This control at worst scans for changes on an hourly basis.
References
|