IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
SSH Key Generated via ssh-keygen
editSSH Key Generated via ssh-keygen
editThis rule identifies the creation of SSH keys using the ssh-keygen tool, which is the standard utility for generating SSH keys. Users often create SSH keys for authentication with remote services. However, threat actors can exploit this tool to move laterally across a network or maintain persistence by generating unauthorized SSH keys, granting them SSH access to systems.
Rule type: eql
Rule indices:
- logs-endpoint.events.process*
- endgame-*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Domain: Endpoint
- OS: Linux
- Use Case: Threat Detection
- Tactic: Lateral Movement
- Tactic: Persistence
- Data Source: Elastic Endgame
- Data Source: Elastic Defend
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editfile where host.os.type == "linux" and event.action in ("creation", "file_create_event") and process.executable == "/usr/bin/ssh-keygen" and file.path : ("/home/*/.ssh/*", "/root/.ssh/*", "/etc/ssh/*") and not file.name : "known_hosts.*"
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Account Manipulation
- ID: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/
-
Sub-technique:
- Name: SSH Authorized Keys
- ID: T1098.004
- Reference URL: https://attack.mitre.org/techniques/T1098/004/
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/
-
Sub-technique:
- Name: SSH
- ID: T1021.004
- Reference URL: https://attack.mitre.org/techniques/T1021/004/
-
Technique:
- Name: Remote Service Session Hijacking
- ID: T1563
- Reference URL: https://attack.mitre.org/techniques/T1563/
-
Sub-technique:
- Name: SSH Hijacking
- ID: T1563.001
- Reference URL: https://attack.mitre.org/techniques/T1563/001/