SSH Authorized Keys

Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user's home directory under <user-home>/.ssh/authorized_keys. Users may edit the system's SSH config file to modify the PubKeyAuthentication and RSAAuthentication to the value "yes" to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config

This technique works when the PUBLIC key has been allowed in the authorized_keys file

Also the sshd_config file needs to have the PubKeyAuthentication as "YES"

When all has been set the malicious actor can steal the private key, or modify the authorized_keys file to add a new key which allows the attacker to remote onto the workstation via SSH

PreviousT1098: Account Manipulation NextT1556: Modify Authentication Process

Last updated 1 month ago