A process modified an SSH authorized_keys file

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Detector Tags

Kubernetes - AGENT, Containers

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: SSH Authorized Keys (T1098.004)

Severity

Informational

Description

A process modified an SSH authorized_keys file, which is used in SSH authentication. An attack can add or remove an SSH key to gain access to a targeted host.

Attacker's Goals

Adversaries use this to ensure that they are possessing the corresponding private key and may log in as an existing user via SSH.

Investigative actions

Check the file modification, try to understand the impact of the related processes and network connections.

Variations

A process modified an SSH authorized_keys2 file

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: SSH Authorized Keys (T1098.004)

Severity

Low

Description

A process modified an SSH authorized_keys file, which is used in SSH authentication. An attack can add or remove an SSH key to gain access to a targeted host.

Attacker's Goals

Adversaries use this to ensure that they are possessing the corresponding private key and may log in as an existing user via SSH.

Investigative actions

Check the file modification, try to understand the impact of the related processes and network connections.


A process modified an SSH authorized_keys file from within a Kubernetes Pod

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: SSH Authorized Keys (T1098.004)

Severity

Low

Description

A process modified an SSH authorized_keys file, which is used in SSH authentication. An attack can add or remove an SSH key to gain access to a targeted host.

Attacker's Goals

Adversaries use this to ensure that they are possessing the corresponding private key and may log in as an existing user via SSH.

Investigative actions

Check the file modification, try to understand the impact of the related processes and network connections.


Unpopular process modified the SSH authorized_keys file

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: SSH Authorized Keys (T1098.004)

Severity

Low

Description

An unpopular process modified the SSH authorized_keys file.

Attacker's Goals

Adversaries use this to ensure that they are possessing the corresponding private key and may log in as an existing user via SSH.

Investigative actions

Check the file modification, try to understand the impact of the related processes and network connections.