Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Изменение авторизованных SSH-ключей
Сертификаты СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Изменение авторизованных SSH-к...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Account Manipulation:  Изменение авторизованных SSH-ключей

ID Название
.001 Дополнительные облачные учетные данные
.002 Выдача доп. прав учетной записи эл. почты Exchange
.003 Добавление роли глобального администратора Office 365
.004 Изменение авторизованных SSH-ключей
.005 Регистрация устройства
.006 Additional Container Cluster Roles
.007 Additional Local or Domain Groups

Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config. Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It may also lead to privilege escalation where the virtual machine or instance has distinct permissions from the requesting user. Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. SSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` Network Device CLI command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)

ID: T1098.004
Относится к технике:  T1098
Тактика(-и): Persistence, Privilege Escalation
Платформы: IaaS, Linux, macOS, Network
Источники данных: Command: Command Execution, File: File Modification, Process: Process Creation
Версия: 1.3
Дата создания: 24 Jun 2020
Последнее изменение: 03 Oct 2023

Примеры процедур
Название Описание
Earth Lusca

Earth Lusca has dropped an SSH-authorized key in the `/root/.ssh` folder in order to access a compromised server with SSH.(Citation: TrendMicro EarthLusca 2022)
Skidmap

Skidmap has the ability to add the public key of its handlers to the authorized_keys file to maintain persistence on an infected host.(Citation: Trend Micro Skidmap)
XCSSET

XCSSET will create an ssh key if necessary with the ssh-keygen -t rsa -f $HOME/.ssh/id_rsa -P command. XCSSET will upload a private key file to the server to remotely access the host without a password.(Citation: trendmicro xcsset xcode project 2020)

Bundlore

Bundlore creates a new key pair with ssh-keygen and drops the newly created user key in authorized_keys to enable remote login.(Citation: MacKeeper Bundlore Apr 2019)
TeamTNT

TeamTNT has added RSA keys in authorized_keys.(Citation: Aqua TeamTNT August 2020)(Citation: Cisco Talos Intelligence Group)

Контрмеры
Контрмера Описание
User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.
Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.
Disable or Remove Feature or Program

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

Обнаружение

Use file integrity monitoring to detect changes made to the authorized_keys file for each user on a system. Monitor for suspicious processes modifying the authorized_keys file. In cloud environments, monitor instances for modification of metadata and configurations. Monitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config. For network infrastructure devices, collect AAA logging to monitor for rogue SSH keys being added to accounts.

Ссылки

  1. ssh.com. (n.d.). Authorized_keys File in SSH. Retrieved June 24, 2020.
  2. Microsoft. (n.d.). Virtual Machines - Update. Retrieved April 1, 2022.
  3. Google Cloud. (2022, March 31). gcloud compute instances add-metadata. Retrieved April 1, 2022.
  4. Cybereason Nocturnus. (2019, June 13). New Pervasive Worm Exploiting Linux Exim Server Vulnerability. Retrieved June 24, 2020.
  5. Cisco. (2021, August 23). ip ssh pubkey-chain. Retrieved July 13, 2022.
  6. Chris Moberly. (2020, February 12). Tutorial on privilege escalation and post exploitation tactics in Google Cloud Platform environments. Retrieved April 1, 2022.
  7. Blachman, Y. (2020, April 22). Growing Abuse of SSH Keys: Commodity Malware Campaigns Now Equipped with SSH Capabilities. Retrieved June 24, 2020.
  8. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  9. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  10. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
  11. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  12. Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021.
  13. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.