SSH authorized keys modified

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect modifications to authorized SSH keys.

Strategy

SSH is a commonly used key-based authentication mechanism. In this system, the authorized_keys file specifies SSH keys that can be used to authenticate as a specific user on the system. Attacker’s may modify the authorized_keys file to authorize attacker-owned SSH keys. This allows the attacker to maintain persistence on a system as a specific user.

Triage and response

  1. Check what changes were made to authorized_keys, and under which user.
  2. Determine whether any keys were added. If so, determine if the added keys belong to known trusted users.
  3. If they keys in question are not acceptable, roll back the host or container in question to a known trusted SSH configuration.

Requires Agent version 7.27 or greater

PREVIEWING: aliciascott/DOCS-9725-Cloudcraft