Account Manipulation: SSH Authorized Keys

Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.[1] Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value "yes" to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.

Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.[2] [3]

ID: T1098.004
Sub-technique of:  T1098
Tactic: Persistence
Platforms: Linux, macOS
Permissions Required: Administrator, User
Data Sources: File monitoring, Process command-line parameters, Process monitoring
Contributors: Tony Lambert, Red Canary
Version: 1.0
Created: 24 June 2020
Last Modified: 25 June 2020

Procedure Examples

Name Description
Bundlore

Bundlore creates a new key pair with ssh-keygen and drops the newly created user key in authorized_keys to enable remote login.[5]

Skidmap

Skidmap has the ability to add the public key of its handlers to the authorized_keys file to maintain persistence on an infected host.[4]

Mitigations

Mitigation Description
Disable or Remove Feature or Program

Disable SSH if it is not necessary on a host or restrict SSH access for specific users/groups using /etc/ssh/sshd_config.

Restrict File and Directory Permissions

Restrict access to the authorized_keys file.

Detection

Use file integrity monitoring to detect changes made to the authorized_keys file for each user on a system. Monitor for suspicious processes modifying the authorized_keys file.

Monitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config.

References