Suspicious cloud compute instance ssh keys modification attempt

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-18
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires one of the following data sources:
    • AWS Audit Log
      OR
    • Azure Audit Log
      OR
    • Gcp Audit Log

Detection Modules

Cloud

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: SSH Authorized Keys (T1098.004)

Severity

Informational

Description

An identity attempted to modify the SSH keys of a single compute instance.
This may indicate an attacker's attempt to maintain persistence on the cloud instance.

Attacker's Goals

  • Maintain persistence on a compromised compute instance.
  • Escalate local privileges to gain root on compute instance.

Investigative actions

  • Investigate if SSH keys were modified or added at the instance or project level.
  • Investigate which permissions were obtained as a result of the SSH keys modification.

Variations

Instance SSH keys were modified for the first time in the cloud provider

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: SSH Authorized Keys (T1098.004)

Severity

High

Description

An identity has modified the SSH keys of an instance for the first time in the cloud provider.
This may indicate an attacker's attempt to maintain persistence on the cloud instance.

Attacker's Goals

  • Maintain persistence on a compromised compute instance.
  • Escalate local privileges to gain root on compute instance.

Investigative actions

  • Investigate if SSH keys were modified or added at the instance or project level.
  • Investigate which permissions were obtained as a result of the SSH keys modification.


Suspicious cloud compute instance SSH keys modification by a service account

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: SSH Authorized Keys (T1098.004)

Severity

Medium

Description

A service account has modified the SSH keys of a single compute instance.
This may indicate an attacker's attempt to maintain persistence on the cloud instance.

Attacker's Goals

  • Maintain persistence on a compromised compute instance.
  • Escalate local privileges to gain root on compute instance.

Investigative actions

  • Investigate if SSH keys were modified or added at the instance or project level.
  • Investigate which permissions were obtained as a result of the SSH keys modification.


Suspicious cloud compute instance SSH keys modification

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: SSH Authorized Keys (T1098.004)

Severity

Informational

Description

An identity has modified the SSH keys of a single compute instance.
This may indicate an attacker's attempt to maintain persistence on the cloud instance.

Attacker's Goals

  • Maintain persistence on a compromised compute instance.
  • Escalate local privileges to gain root on compute instance.

Investigative actions

  • Investigate if SSH keys were modified or added at the instance or project level.
  • Investigate which permissions were obtained as a result of the SSH keys modification.


Suspicious GCP project level metadata modification by a service account

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: SSH Authorized Keys (T1098.004)

Severity

Low

Description

A service account has modified the metadata of the entire instances in the project.
This may indicate an attacker's attempt to perform lateral movement within the project.

Attacker's Goals

  • Maintain persistence on a compromised compute instance.
  • Escalate local privileges to gain root on compute instance.

Investigative actions

  • Investigate if SSH keys were modified or added at the instance or project level.
  • Investigate which permissions were obtained as a result of the SSH keys modification.


Suspicious GCP project level metadata modification

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: SSH Authorized Keys (T1098.004)

Severity

Informational

Description

An identity account has modified the metadata of the entire instances in the project.
This may indicate an attacker's attempt to perform lateral movement within the project.

Attacker's Goals

  • Maintain persistence on a compromised compute instance.
  • Escalate local privileges to gain root on compute instance.

Investigative actions

  • Investigate if SSH keys were modified or added at the instance or project level.
  • Investigate which permissions were obtained as a result of the SSH keys modification.


Suspicious GCP project level metadata modification attempt

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: SSH Authorized Keys (T1098.004)

Severity

Informational

Description

An identity account has modified the metadata of the entire instances in the project.
This may indicate an attacker's attempt to perform lateral movement within the project.

Attacker's Goals

  • Maintain persistence on a compromised compute instance.
  • Escalate local privileges to gain root on compute instance.

Investigative actions

  • Investigate if SSH keys were modified or added at the instance or project level.
  • Investigate which permissions were obtained as a result of the SSH keys modification.