splApache-2.0from splunk/security_content
Linux Account Manipulation Of SSH Config and Keys
The following analytic detects the deletion of SSH keys on a Linux machine. It leverages filesystem event logs to identify when files within "/etc/ssh/*" or "~/.ssh/*" are deleted. This activity is significant because attackers may delete or modify SSH keys to evade security measures or as part of a destructive payload, similar to the AcidRain malware. If confirmed malicious, this behavior could lead to impaired security features, hindered forensic investigations, or further unauthorized access, necessitating immediate investigation to identify the responsible process and user.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
WHERE Filesystem.action=deleted
AND
Filesystem.file_path IN ("/etc/ssh/*", "~/.ssh/*")
BY Filesystem.action Filesystem.dest Filesystem.file_access_time
Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time
Filesystem.file_name Filesystem.file_path Filesystem.file_acl
Filesystem.file_size Filesystem.process_guid Filesystem.process_id
Filesystem.user Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_account_manipulation_of_ssh_config_and_keys_filter`