Account Manipulation: SSH Authorized Keys

ID Name
VT0011.001 Additional Cloud Credentials
VT0011.002 SSH Authorized Keys

Adversaries may modify the Secure Shell (SSH) authorized_keys file to maintain persistence on a victim host. SSH is the standard for remote access to Linux and Unix-based distributions, macOS, and Microsoft from Windows 10 machines. The most common way to implement SSH is using key-based authentication to secure the authentication for remote management sessions.

The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured.[1] The system’s SSH config file is used to modify the configuration of the SSH server, and is usually located under /etc/ssh/sshd_config.

Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-owned public keys. This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.[2] [3]

Procedure Examples

Name Description
Skidmap

Skidmap has the ability to add the public key of its handlers to the authorized_keys file to maintain persistence on an infected host.[4]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Use file integrity monitoring to detect changes made to the authorized_keys file for each user on a system. Monitor for suspicious processes modifying the authorized_keys file.

Monitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config.

References

Attachments

ID
VT0011.002
Sub-techniques
Tactic
Persistence
Platforms
Linux
macOS
Permissions Required
Administrator
User
Data Sources
File monitoring
Process command-line parameters
Process monitoring
Version
1.0

Created: 20 December 2020

Last Modified: 20 December 2020