Techniques
Sample rules
Linux SSH Authorized Keys Modification
- source: splunk
- technicques:
- T1098.004
Description
The following analytic identifies based on process execution the modification of SSH Authorized Keys. Adversaries perform this behavior to persist on endpoints. During triage, review parallel processes and capture any additional file modifications for review.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("bash","cat") Processes.process IN ("*/authorized_keys*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_ssh_authorized_keys_modification_filter`