SSH Authorized Keys File Modified Inside a Container
editSSH Authorized Keys File Modified Inside a Container
editThis rule detects the creation or modification of an authorized_keys or sshd_config file inside a container. The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). Unexpected and unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated.
Rule type: eql
Rule indices:
- logs-cloud_defend*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Elastic
- Host
- Linux
- Threat Detection
- Persistence
- Lateral Movement
- Container
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editfile where container.id:"*" and event.type in ("change", "creation") and file.name: ("authorized_keys", "authorized_keys2", "sshd_config")
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Account Manipulation
- ID: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/
-
Sub-technique:
- Name: SSH Authorized Keys
- ID: T1098.004
- Reference URL: https://attack.mitre.org/techniques/T1098/004/
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Remote Service Session Hijacking
- ID: T1563
- Reference URL: https://attack.mitre.org/techniques/T1563/
-
Sub-technique:
- Name: SSH Hijacking
- ID: T1563.001
- Reference URL: https://attack.mitre.org/techniques/T1563/001/
-
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/
-
Sub-technique:
- Name: SSH
- ID: T1021.004
- Reference URL: https://attack.mitre.org/techniques/T1021/004/