security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e277ecd2306c2cabf10c8a979287c50eba7602d2
sigma-rules/hunting/linux/docs/persistence_via_ssh_configurations_and_keys.md
T
Terrance DeJesus 70411664cf [Bug] Normalize Hunting Index Link Generation (#3872) 
* normalizing hunting link generation

* replacing header

* adjusting quotes in f-strings

* added source file to metadata

* removed os dependency

* address bug in source file links

* reverting TOML loading

* change all List type hinting to list

* change all List type hinting to list

* fixed accented characters in queries

* reverted accent character removal; moved macos query and MD to macos folder
2024-07-10 11:01:59 -04:00

2.1 KiB
Raw Blame History

Persistence via SSH Configurations and/or Keys

Metadata

  • Author: Elastic

  • Description: This hunt identifies potential SSH persistence mechanisms on Linux systems using OSQuery. It monitors SSH keys, authorized_keys files, SSH configuration files, and SSH file information to detect unauthorized access or persistence techniques. The hunt lists detailed information for further analysis and investigation.

  • UUID: aa759db0-4499-42f2-9f2f-be3e00fdebfa

  • Integration: endpoint

  • Language: [SQL]

  • Source File: Persistence via SSH Configurations and/or Keys

Query

SELECT * FROM user_ssh_keys

SELECT authorized_keys.*
FROM users
JOIN authorized_keys
USING(uid)

SELECT * FROM ssh_configs

SELECT
    f.filename,
    f.path,
    u.username AS file_owner,
    g.groupname AS group_owner,
    datetime(f.atime, 'unixepoch') AS file_last_access_time,
    datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
    datetime(f.ctime, 'unixepoch') AS file_last_status change_time,
    datetime(f.btime, 'unixepoch') AS file_created_time,
    f.size AS size_bytes
FROM
    file f
LEFT JOIN
    users u ON f.uid = u.uid
LEFT JOIN
    groups g ON f.gid = g.gid
WHERE
    f.path LIKE "/root/.ssh/%"
    OR f.path LIKE "/home/%/.ssh/%"
    OR f.path LIKE "/etc/ssh/%"
    OR f.path LIKE "/etc/ssh/sshd_config.d/%"
    OR f.path LIKE "/etc/ssh/ssh_config.d/%"

Notes

  • Monitors SSH keys, authorized_keys files, and SSH configuration files using OSQuery to detect potential unauthorized access or persistence techniques.
  • Lists detailed information about SSH files, including paths, owners, and permissions.
  • Requires additional data analysis and investigation into results to identify malicious or unauthorized SSH configurations and keys.

MITRE ATT&CK Techniques

License

  • Elastic License v2
Reference in New Issue View Git Blame Copy Permalink