heroui logo

Linux Account Manipulation Of SSH Config and Keys

Splunk Security Content

View Source
Summary
This analytic rule targets the detection of potentially malicious activities related to the manipulation of SSH keys on Linux systems. It specifically monitors the deletion of files from critical SSH directories, namely '/etc/ssh/*' and '~/.ssh/*'. Such actions are critical as attackers may perform these deletions to evade detection or as part of a broader destructive cyber attack, similar to the AcidRain malware approach. The rule leverages filesystem events tracked by Sysmon for Linux, utilizing event ID 11 to identify when an SSH file is deleted. A correlation is made between the deletion events and the corresponding process and user actions to ascertain if the manipulation is benign or malicious. Immediate investigation of confirmed detections is crucial, as improper handling may lead to compromised system security and hinder forensic efforts.
Categories
  • Linux
  • Endpoint
Data Sources
  • Pod
  • File
ATT&CK Techniques
  • T1485
  • T1070.004
  • T1070
Created: 2024-11-13