Skip to content

T1098.004 SSH Authorized Keys

Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user’s home directory under <user-home>/.ssh/authorized_keys.7 Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.

Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.52 Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.6 This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.14

Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user.

SSH keys can also be added to accounts on network devices, such as with the ip ssh pubkey-chain Network Device CLI command.3

Item Value
ID T1098.004
Sub-techniques T1098.001, T1098.002, T1098.003, T1098.004, T1098.005
Tactics TA0003
Platforms IaaS, Linux, Network, macOS
Version 1.2
Created 24 June 2020
Last Modified 12 April 2023

Procedure Examples

ID Name Description
S0482 Bundlore Bundlore creates a new key pair with ssh-keygen and drops the newly created user key in authorized_keys to enable remote login.9
G1006 Earth Lusca Earth Lusca has dropped an SSH-authorized key in the /root/.ssh folder in order to access a compromised server with SSH.11
S0468 Skidmap Skidmap has the ability to add the public key of its handlers to the authorized_keys file to maintain persistence on an infected host.10
G0139 TeamTNT TeamTNT has added RSA keys in authorized_keys.1312
S0658 XCSSET XCSSET will create an ssh key if necessary with the ssh-keygen -t rsa -f $HOME/.ssh/id_rsa -P command. XCSSET will upload a private key file to the server to remotely access the host without a password.8

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program Disable SSH if it is not necessary on a host or restrict SSH access for specific users/groups using /etc/ssh/sshd_config.
M1022 Restrict File and Directory Permissions Restrict access to the authorized_keys file.
M1018 User Account Management In cloud environments, ensure that only users who explicitly require the permissions to update instance metadata or configurations can do so.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Modification
DS0009 Process Process Creation

References

  1. Blachman, Y. (2020, April 22). Growing Abuse of SSH Keys: Commodity Malware Campaigns Now Equipped with SSH Capabilities. Retrieved June 24, 2020. 

  2. Chris Moberly. (2020, February 12). Tutorial on privilege escalation and post exploitation tactics in Google Cloud Platform environments. Retrieved April 1, 2022. 

  3. Cisco. (2021, August 23). ip ssh pubkey-chain. Retrieved July 13, 2022. 

  4. Cybereason Nocturnus. (2019, June 13). New Pervasive Worm Exploiting Linux Exim Server Vulnerability. Retrieved June 24, 2020. 

  5. Google Cloud. (2022, March 31). gcloud compute instances add-metadata. Retrieved April 1, 2022. 

  6. Microsoft. (n.d.). Virtual Machines - Update. Retrieved April 1, 2022. 

  7. ssh.com. (n.d.). Authorized_keys File in SSH. Retrieved June 24, 2020. 

  8. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. 

  9. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020. 

  10. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020. 

  11. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  12. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. 

  13. Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021.