SSH Authorized Keys File Modified Inside a Container

edit

SSH Authorized Keys File Modified Inside a Container

edit

This rule detects the creation or modification of an authorized_keys or sshd_config file inside a container. The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). Unexpected and unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated.

Rule type: eql

Rule indices:

  • logs-cloud_defend*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Data Source: Elastic Defend for Containers
  • Domain: Container
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Persistence
  • Tactic: Lateral Movement

Version: 3

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
file where container.id:"*" and
  event.type in ("change", "creation") and file.name: ("authorized_keys", "authorized_keys2", "sshd_config")

Framework: MITRE ATT&CKTM