Esc

SSH Authorized Keys - T1098.004

(ATT&CK® Technique)

Definition

Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys. Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1098004["SSH Authorized Keys"] --> |modifies| UserAccount["User Account"]; class T1098004 OffensiveTechniqueNode;
        class UserAccount ArtifactNode; click UserAccount href "/dao/artifact/d3f:UserAccount";
        click T1098004 href "/offensive-technique/attack/T1098.004/"; click UserAccount href "/dao/artifact/d3f:UserAccount";AccountLocking["Account Locking"] -->
          | disables | UserAccount["User Account"];

          AccountLocking["Account Locking"] -.->
            | May Evict | T1098004["SSH Authorized Keys"] ;
          class AccountLocking DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click AccountLocking href "/technique/d3f:AccountLocking"; BiometricAuthentication["Biometric Authentication"] -->
          | authenticates | UserAccount["User Account"];

          BiometricAuthentication["Biometric Authentication"] -.->
            | May Harden | T1098004["SSH Authorized Keys"] ;
          class BiometricAuthentication DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click BiometricAuthentication href "/technique/d3f:BiometricAuthentication"; Multi-factorAuthentication["Multi-factor Authentication"] -->
          | authenticates | UserAccount["User Account"];

          Multi-factorAuthentication["Multi-factor Authentication"] -.->
            | May Harden | T1098004["SSH Authorized Keys"] ;
          class Multi-factorAuthentication DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; One-timePassword["One-time Password"] -->
          | authenticates | UserAccount["User Account"];

          One-timePassword["One-time Password"] -.->
            | May Harden | T1098004["SSH Authorized Keys"] ;
          class One-timePassword DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click One-timePassword href "/technique/d3f:One-timePassword"; StrongPasswordPolicy["Strong Password Policy"] -->
          | strengthens | UserAccount["User Account"];

          StrongPasswordPolicy["Strong Password Policy"] -.->
            | May Harden | T1098004["SSH Authorized Keys"] ;
          class StrongPasswordPolicy DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click StrongPasswordPolicy href "/technique/d3f:StrongPasswordPolicy"; UserAccountPermissions["User Account Permissions"] -->
          | restricts | UserAccount["User Account"];

          UserAccountPermissions["User Account Permissions"] -.->
            | May Harden | T1098004["SSH Authorized Keys"] ;
          class UserAccountPermissions DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click UserAccountPermissions href "/technique/d3f:UserAccountPermissions";  RestoreUserAccountAccess["Restore User Account Access"] -->
          | restores | UserAccount["User Account"];

          RestoreUserAccountAccess["Restore User Account Access"] -.->
            | May Restore | T1098004["SSH Authorized Keys"] ;
          class RestoreUserAccountAccess DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; UnlockAccount["Unlock Account"] -->
          | restores | UserAccount["User Account"];

          UnlockAccount["Unlock Account"] -.->
            | May Restore | T1098004["SSH Authorized Keys"] ;
          class UnlockAccount DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click UnlockAccount href "/technique/d3f:UnlockAccount";

json