Suspicious process modified an SSH authorized_keys file

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent
  • Requires:
    • eXtended Threat Hunting (XTH)

Detection Modules

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: SSH Authorized Keys (T1098.004)

Severity

Low

Description

A suspicious process modified an SSH authorized_keys file.

Attacker's Goals

Adversaries use this to ensure that they are possessing the corresponding private key and may log in as an existing user via SSH.

Investigative actions

Check the file modification, try to understand the impact of the related processes and network connections.

Variations

Suspicious process modified an SSH authorized_keys file from within a Kubernetes Pod

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: SSH Authorized Keys (T1098.004)

Severity

Low

Description

A suspicious process modified an SSH authorized_keys file.

Attacker's Goals

Adversaries use this to ensure that they are possessing the corresponding private key and may log in as an existing user via SSH.

Investigative actions

Check the file modification, try to understand the impact of the related processes and network connections.


Web server process modified the SSH authorized_keys file

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: SSH Authorized Keys (T1098.004)

Severity

Low

Description

A web server process modified the SSH authorized_keys file.

Attacker's Goals

Adversaries use this to ensure that they are possessing the corresponding private key and may log in as an existing user via SSH.

Investigative actions

Check the file modification, try to understand the impact of the related processes and network connections.


Unpopular process modified the SSH authorized_keys file

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: SSH Authorized Keys (T1098.004)

Severity

Low

Description

An unpopular process modified the SSH authorized_keys file.

Attacker's Goals

Adversaries use this to ensure that they are possessing the corresponding private key and may log in as an existing user via SSH.

Investigative actions

Check the file modification, try to understand the impact of the related processes and network connections.