Techniques
Sample rules
Potential OpenSSH Backdoor Logging Activity
- source: elastic
- technicques:
- T1554
- T1556
Description
Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.
Detection logic
file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and
(
(file.name : (".*", "~*", "*~") and not file.name : (".cache", ".viminfo", ".bash_history", ".google_authenticator",
".jelenv", ".csvignore", ".rtreport")) or
file.extension : ("in", "out", "ini", "h", "gz", "so", "sock", "sync", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9") or
file.path :
(
"/private/etc/*--",
"/usr/share/*",
"/usr/include/*",
"/usr/local/include/*",
"/private/tmp/*",
"/private/var/tmp/*",
"/usr/tmp/*",
"/usr/share/man/*",
"/usr/local/share/*",
"/usr/lib/*.so.*",
"/private/etc/ssh/.sshd_auth",
"/usr/bin/ssd",
"/private/var/opt/power",
"/private/etc/ssh/ssh_known_hosts",
"/private/var/html/lol",
"/private/var/log/utmp",
"/private/var/lib",
"/var/run/sshd/sshd.pid",
"/var/run/nscd/ns.pid",
"/var/run/udev/ud.pid",
"/var/run/udevd.pid"
)
)