SSH authorized keys modified

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect modifications to authorized SSH keys.

Strategy

SSH is a commonly used key-based authentication mechanism. In this system, the authorized_keys file specifies SSH keys that can be used to authenticate as a specific user on the system. Attacker’s may modify the authorized_keys file to authorize attacker-owned SSH keys. This allows the attacker to maintain persistence on a system as a specific user.

Triage and response

  1. Check what changes were made to authorized_keys, and under which user.
  2. Determine whether any keys were added. If so, determine if the added keys belong to known trusted users.
  3. If they keys in question are not acceptable, roll back the host or container in question to a known trusted SSH configuration.

Requires Agent version 7.27 or greater