1. Home
  2. Detection Strategies
  3. Detection Strategy for SSH Key Injection in Authorized Keys

Detection Strategy for SSH Key Injection in Authorized Keys

Technique Detected:  SSH Authorized Keys | T1098.004

ID: DET0126
Domains: Enterprise
Analytics: AN0350, AN0351, AN0352, AN0353, AN0354
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0350

Adversary attempts to gain persistence by modifying ~/.ssh/authorized_keys via shell, text editor, echo or redirected output.

Log Sources
Data Component Name Channel
File Modification (DC0061) auditd:SYSCALL write | PATH=/home/*/.ssh/authorized_keys
Process Creation (DC0032) auditd:SYSCALL execve
Mutable Elements
Field Description
TimeWindow Temporal window to correlate file writes and suspicious process launches (e.g., <60s)
UserContext Expected user-to-process correlation (e.g., root writing to non-root authorized_keys)
TargetPath Custom SSH path or user home variation (e.g., /etc/skel/.ssh/)

AN0351

Insertion of public keys into authorized_keys using bash/zsh or editor tools, correlated with suspicious process ancestry.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process: exec + filewrite: ~/.ssh/authorized_keys
File Modification (DC0061) macos:auth ~/.ssh/authorized_keys
Mutable Elements
Field Description
ParentProcess Track unusual parent process writing to SSH config (e.g., curl -> bash)
InteractiveSessionFlag Flag whether shell session was interactive (normal) or spawned remotely (potential abuse)

AN0352

Abuse of cloud metadata APIs or CLI to push SSH public keys to authorized_keys of virtual machines.

Log Sources
Data Component Name Channel
File Modification (DC0061) gcp:audit compute.instances.setMetadata
Mutable Elements
Field Description
MetadataFieldName Custom metadata field (e.g., ssh-keys or custom-key)
AccountType Was it an admin, service principal, or automation user initiating?
TargetRoleEscalation Privilege level of the VM account receiving the key

AN0353

Direct modification of /etc/ssh/keys-/authorized_keys or enabling SSH in sshd_config to support public key auth.

Log Sources
Data Component Name Channel
File Modification (DC0061) esxi:shell file write or edit
Mutable Elements
Field Description
SSHConfigPath Could be modified SSH path in hypervisor
ESXiShellActivity Whether shell was enabled beforehand via DCUI or API

AN0354

Use of command-line like ip ssh pubkey-chain to bind SSH keys to privileged accounts on routers or switches.

Log Sources
Data Component Name Channel
Command Execution (DC0064) networkdevice:cli ip ssh pubkey-chain
Mutable Elements
Field Description
CLIUserRole Was the role allowed to push persistent config changes?
DeviceModel Variations in syntax or log behavior across device OS