Account Manipulation: SSH Authorized Keys
Adversaries may modify the SSH
authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The
authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under
<user-home>/.ssh/authorized_keys. Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value "yes" to ensure public key and RSA authentication are enabled. The SSH config file is usually located under
Adversaries may modify SSH
authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH. 
|M1042||Disable or Remove Feature or Program||
Disable SSH if it is not necessary on a host or restrict SSH access for specific users/groups using
|M1022||Restrict File and Directory Permissions||
Restrict access to the
Use file integrity monitoring to detect changes made to the
authorized_keys file for each user on a system. Monitor for suspicious processes modifying the
Monitor for changes to and suspicious processes modifiying
- ssh.com. (n.d.). Authorized_keys File in SSH. Retrieved June 24, 2020.
- Blachman, Y. (2020, April 22). Growing Abuse of SSH Keys: Commodity Malware Campaigns Now Equipped with SSH Capabilities. Retrieved June 24, 2020.
- Cybereason Nocturnus. (2019, June 13). New Pervasive Worm Exploiting Linux Exim Server Vulnerability. Retrieved June 24, 2020.