| ID | Name |
|---|---|
| T1098.001 | Additional Cloud Credentials |
| T1098.002 | Additional Email Delegate Permissions |
| T1098.003 | Additional Cloud Roles |
| T1098.004 | SSH Authorized Keys |
| T1098.005 | Device Registration |
Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.[1] Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value "yes" to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.
Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s "add-metadata" command an adversary may add SSH keys to a user account.[2][3] Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.[4] This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.[5][6]
Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user.
| ID | Name | Description |
|---|---|---|
| S0482 | Bundlore |
Bundlore creates a new key pair with |
| S0468 | Skidmap |
Skidmap has the ability to add the public key of its handlers to the |
| G0139 | TeamTNT | |
| S0658 | XCSSET |
XCSSET will create an ssh key if necessary with the |
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program |
Disable SSH if it is not necessary on a host or restrict SSH access for specific users/groups using |
| M1022 | Restrict File and Directory Permissions |
Restrict access to the |
| M1018 | User Account Management |
In cloud environments, ensure that only users who explicitly require the permissions to update instance metadata or configurations can do so. |
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Modification |
| DS0009 | Process | Process Creation |
Use file integrity monitoring to detect changes made to the authorized_keys file for each user on a system. Monitor for suspicious processes modifying the authorized_keys file. In cloud environments, monitor instances for modification of metadata and configurations.
Monitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config.