Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
Kubernetes - AGENT, Containers |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A process modified an SSH authorized_keys file, which is used in SSH authentication. An attack can add or remove an SSH key to gain access to a targeted host.
Attacker's Goals
Adversaries use this to ensure that they are possessing the corresponding private key and may log in as an existing user via SSH.
Investigative actions
Check the file modification, try to understand the impact of the related processes and network connections.
Variations
A process modified an SSH authorized_keys2 fileA process modified an SSH authorized_keys file from within a Kubernetes Pod
Unpopular process modified the SSH authorized_keys file