SSH authorized keys modified

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect modifications to authorized SSH keys.

Strategy

SSH is a commonly used key-based authentication mechanism. In this system, the authorized_keys file specifies SSH keys that can be used to authenticate as a specific user on the system. Attacker’s may modify the authorized_keys file to authorize attacker-owned SSH keys. This allows the attacker to maintain persistence on a system as a specific user.

Triage and response

  1. Check what changes were made to authorized_keys, and under which user.
  2. Determine whether any keys were added. If so, determine if the added keys belong to known trusted users.
  3. If they keys in question are not acceptable, roll back the host or container in question to a known trusted SSH configuration.

Requires Agent version 7.27 or greater