/
linux_possible_ssh_key_file_creation.yml
64 lines (64 loc) · 2.47 KB
/
linux_possible_ssh_key_file_creation.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
name: Linux Possible Ssh Key File Creation
id: c04ef40c-72da-11ec-8eac-acde48001122
version: 1
date: '2022-01-11'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: This analytic is to look for possible ssh key file creation on ~/.ssh/
folder. This technique is commonly abused by threat actors and adversaries to gain
persistence and privilege escalation to the targeted host. by creating ssh private
and public key and passing the public key to the attacker server. threat actor can
access remotely the machine using openssh daemon service.
data_source:
- Sysmon for Linux EventID 11
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/.ssh*")
by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path
| `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`
| `linux_possible_ssh_key_file_creation_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting
logs with the file name, file path, and process_guid executions from your endpoints.
If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.
known_false_positives: Administrator or network operator can create file in ~/.ssh
folders for automation purposes. Please update the filter macros to remove false
positives.
references:
- https://www.hackingarticles.in/ssh-penetration-testing-port-22/
- https://attack.mitre.org/techniques/T1098/004/
tags:
analytic_story:
- Linux Privilege Escalation
- Linux Persistence Techniques
- Linux Living Off The Land
asset_type: Endpoint
confidence: 60
impact: 60
message: A file $file_name$ is created in $file_path$ on $dest$
mitre_attack_id:
- T1098.004
- T1098
observable:
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Filesystem.dest
- Filesystem.file_create_time
- Filesystem.file_name
- Filesystem.process_guid
- Filesystem.file_path
risk_score: 36
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/sysmon_linux.log
source: Syslog:Linux-Sysmon/Operational
sourcetype: sysmon_linux