administrator or network operator can create file in ~/.ssh folders for automation purposes. please update the filter macros to remove false positives.

t1098
T1098.004
endpoint
splunk

Techniques

T1098
T1098.004

Sample rules

Linux Possible Ssh Key File Creation

source: splunk
technicques:
- T1098.004
- T1098

Description

This analytic is to look for possible ssh key file creation on ~/.ssh/ folder. This technique is commonly abused by threat actors and adversaries to gain persistence and privilege escalation to the targeted host. by creating ssh private and public key and passing the public key to the attacker server. threat actor can access remotely the machine using openssh daemon service.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/.ssh*") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `linux_possible_ssh_key_file_creation_filter`