T1098.004 SSH Authorized Keys Mappings

Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <code>&lt;user-home&gt;/.ssh/authorized_keys</code>.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>.

Adversaries may modify SSH <code>authorized_keys</code> files directly with scripts or shell commands to add their own adversary-supplied public keys. This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse) (Citation: Cybereason Linux Exim Worm)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-3 Access Enforcement Protects T1098.004 SSH Authorized Keys
CM-2 Baseline Configuration Protects T1098.004 SSH Authorized Keys
CM-6 Configuration Settings Protects T1098.004 SSH Authorized Keys
CM-7 Least Functionality Protects T1098.004 SSH Authorized Keys
CM-8 System Component Inventory Protects T1098.004 SSH Authorized Keys
RA-5 Vulnerability Monitoring and Scanning Protects T1098.004 SSH Authorized Keys
SC-12 Cryptographic Key Establishment and Management Protects T1098.004 SSH Authorized Keys
SI-3 Malicious Code Protection Protects T1098.004 SSH Authorized Keys
SI-4 System Monitoring Protects T1098.004 SSH Authorized Keys
azure_security_center_recommendations Azure Security Center Recommendations technique_scores T1098.004 SSH Authorized Keys
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modification of a Kubernetes container's file system which can mitigate this technique. Because this recommendation is specific to Kubernetes containers, its score is Minimal.
References
    linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration technique_scores T1098.004 SSH Authorized Keys
    Comments
    This control may alert on addition of new SSH keys to the authorized key file and unusual process access of the authorized key file.
    References
      file_integrity_monitoring File Integrity Monitoring technique_scores T1098.004 SSH Authorized Keys
      Comments
      This control may detect changes to the SSH authorized keys file which may indicate establishment of persistence. This control at worst scans for changes on an hourly basis.
      References