Account Manipulation: SSH Authorized Keys
Adversaries may modify the Secure Shell (SSH)
authorized_keys file to maintain persistence on a victim host. SSH is the standard for remote access to Linux and Unix-based distributions, macOS, and Microsoft from Windows 10 machines. The most common way to implement SSH is using key-based authentication to secure the authentication for remote management sessions.
authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. The system’s SSH config file is used to modify the configuration of the SSH server, and is usually located under
Adversaries may modify SSH
authorized_keys files directly with scripts or shell commands to add their own adversary-owned public keys. This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH. 
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Use file integrity monitoring to detect changes made to the
authorized_keys file for each user on a system. Monitor for suspicious processes modifying the
Monitor for changes to and suspicious processes modifiying
Created: 20 December 2020
Last Modified: 20 December 2020