Linux Possible Ssh Key File Creation
Description
The following analytic detects the creation of SSH key files in the ~/.ssh/ directory. It leverages filesystem data to identify new files in this specific path. This activity is significant because threat actors often create SSH keys to gain persistent access and escalate privileges on a compromised host. If confirmed malicious, this could allow attackers to remotely access the machine using the OpenSSH daemon service, leading to potential unauthorized control and data exfiltration.
- Type: Anomaly
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2024-05-15
- Author: Teoderick Contreras, Splunk
- ID: c04ef40c-72da-11ec-8eac-acde48001122
Annotations
ATT&CK
Kill Chain Phase
- Installation
- Exploitation
NIST
- DE.AE
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/.ssh*") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `linux_possible_ssh_key_file_creation_filter`
Macros
The SPL above uses the following Macros:
linux_possible_ssh_key_file_creation_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- Filesystem.dest
- Filesystem.file_create_time
- Filesystem.file_name
- Filesystem.process_guid
- Filesystem.file_path
How To Implement
To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.
Known False Positives
Administrator or network operator can create file in ~/.ssh folders for automation purposes. Please update the filter macros to remove false positives.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
36.0 | 60 | 60 | A file $file_name$ is created in $file_path$ on $dest$ |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://www.hackingarticles.in/ssh-penetration-testing-port-22/
- https://attack.mitre.org/techniques/T1098/004/
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2