administrator or network operator can create file in ~/.ssh folders for automation purposes. please update the filter macros to remove false positives.

Techniques

T1098.004

Sample rules

Linux Possible Ssh Key File Creation

source: splunk
technicques:
- T1098.004

Description

The following analytic detects the creation of SSH key files in the ~/.ssh/ directory. It leverages filesystem data to identify new files in this specific path. This activity is significant because threat actors often create SSH keys to gain persistent access and escalate privileges on a compromised host. If confirmed malicious, this could allow attackers to remotely access the machine using the OpenSSH daemon service, leading to potential unauthorized control and data exfiltration.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/.ssh*") by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `linux_possible_ssh_key_file_creation_filter`