trusted openssh executable updates. it's recommended to verify the integrity of openssh binary changes.

t1021
t1543
t1556
t1563
linux
elastic

Techniques

T1021
T1543
T1556
T1563

Sample rules

Modification of OpenSSH Binaries

source: elastic
technicques:
- T1021
- T1543
- T1556
- T1563

Description

Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.

Detection logic

event.category:file and host.os.type:linux and event.type:change and 
  process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python)) and 
  (file.path:(/usr/bin/scp or 
                /usr/bin/sftp or 
                /usr/bin/ssh or 
                /usr/sbin/sshd) or 
  file.name:libkeyutils.so) and
  not (
    process.executable:/usr/share/elasticsearch/* or
    process.name : (apk or ansible-admin or systemd or dnf or python*)
  )