« SSH Connection Established Inside A Running Container SSH Process Launched From Inside A Container »
Elastic Docs Elastic Security Solution [8.14] Detections and alerts Prebuilt rule reference

SSH Key Generated via ssh-keygen

edit

SSH Key Generated via ssh-keygenedit

This rule identifies the creation of SSH keys using the ssh-keygen tool, which is the standard utility for generating SSH keys. Users often create SSH keys for authentication with remote services. However, threat actors can exploit this tool to move laterally across a network or maintain persistence by generating unauthorized SSH keys, granting them SSH access to systems.

Rule type: eql

Rule indices:

  • logs-endpoint.events.process*
  • endgame-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Lateral Movement
  • Tactic: Persistence
  • Data Source: Elastic Endgame
  • Data Source: Elastic Defend

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule queryedit

file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and
process.executable == "/usr/bin/ssh-keygen" and file.path : ("/home/*/.ssh/*", "/root/.ssh/*", "/etc/ssh/*") and
not file.name : "known_hosts.*"

Framework: MITRE ATT&CKTM

« SSH Connection Established Inside A Running Container SSH Process Launched From Inside A Container »