Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-aws-cloudtrail-log-detections
Overview
4Dashboards
86Benchmarks
96Queries
1Variables
GitHub

Benchmark: T1098.004 Account Manipulation: SSH Authorized Keys

Overview

Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys. Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value "yes" to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.

Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s "add-metadata" command an adversary may add SSH keys to a user account. Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API. This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH. It may also lead to privilege escalation where the virtual machine or instance has distinct permissions from the requesting user.

Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user.

SSH keys can also be added to accounts on network devices, such as with the ip ssh pubkey-chain Network Device CLI command.

Usage

Install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/tailpipe-mod-aws-cloudtrail-log-detections

Start the Powerpipe server:

powerpipe server

Open http://localhost:9033 in your browser and select T1098.004 Account Manipulation: SSH Authorized Keys.

Run this benchmark in your terminal:

powerpipe benchmark run aws_cloudtrail_log_detections.benchmark.mitre_attack_v161_ta0004_t1098_004

Snapshot and share results via Turbot Pipes:

powerpipe benchmark run aws_cloudtrail_log_detections.benchmark.mitre_attack_v161_ta0004_t1098_004 --share

Detections

Tags

category = Detections
mitre_attack_tactic_id = TA0004
mitre_attack_technique_id = T1098.004
mitre_attack_version = v16.1
plugin = aws
service = AWS/CloudTrail