IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Binary Executed from Shared Memory Directory Potential Shell via Web Server »

› ›

Modification of OpenSSH Binaries

edit

Modification of OpenSSH Binaries

edit

Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.

Rule type: query

Rule indices:

auditbeat-*
logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html

Tags:

Elastic
Host
Linux
Threat Detection
Credential Access
Persistence

Version: 4

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

event.category:file and event.type:change and
 process.name:* and
 (file.path:(/usr/sbin/sshd or /usr/bin/ssh or /usr/bin/sftp or /usr/bin/scp) or file.name:libkeyutils.so) and
 not process.name:("dpkg" or "yum" or "dnf" or "dnf-automatic")

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Create or Modify System Process
- ID: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Modify Authentication Process
- ID: T1556
- Reference URL: https://attack.mitre.org/techniques/T1556/

« Binary Executed from Shared Memory Directory Potential Shell via Web Server »