T1098.004

SSH Authorized Keys

Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. The authorized_keys file specifies SSH keys permitted for logging into a user account, typically found at <user-home>/.ssh/authorized_keys. Adversaries add their own public keys to this file, enabling passwordless SSH access using the corresponding private key. This technique is used by multiple threat actors including Earth Lusca, TeamTNT, and Salt Typhoon, as well as malware families like Skidmap, XCSSET, and Bundlore.

Microsoft Sentinel / Defender

kusto

let AuthorizedKeysPaths = dynamic([
  ".ssh/authorized_keys",
  ".ssh/authorized_keys2",
  "/etc/ssh/keys-",
  "authorized_keys"
]);
let SuspiciousParents = dynamic([
  "curl", "wget", "python", "python3", "perl", "ruby",
  "nc", "ncat", "netcat", "bash", "sh", "dash", "zsh"
]);
// File write events to authorized_keys
let FileWriteEvents = DeviceFileEvents
| where TimeGenerated > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (AuthorizedKeysPaths) or FileName =~ "authorized_keys" or FileName =~ "authorized_keys2"
| extend EventType = "FileWrite"
| project TimeGenerated, DeviceName, AccountName, ActionType, FolderPath, FileName,
          InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName,
          SHA256, EventType;
// Process events writing to authorized_keys via shell commands
let ProcessWriteEvents = DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where ProcessCommandLine has_any (AuthorizedKeysPaths)
| where ProcessCommandLine has_any ("echo", "tee", "cat", "cp", "mv", "printf", "ssh-keygen", "dd", ">", ">>", "write", "install")
| extend EventType = "ProcessWrite"
| project TimeGenerated, DeviceName, AccountName, ActionType = ActionType,
          FolderPath = "", FileName = FileName,
          InitiatingProcessFileName, InitiatingProcessCommandLine = InitiatingProcessCommandLine,
          InitiatingProcessParentFileName,
          SHA256 = SHA256, EventType;
union FileWriteEvents, ProcessWriteEvents
| extend IsRootSSHDir = FolderPath has "/root/.ssh" or ProcessCommandLine has "/root/.ssh"
| extend IsEtcSSHKeys = FolderPath has "/etc/ssh/keys" or ProcessCommandLine has "/etc/ssh/keys"
| extend IsRedirectAppend = ProcessCommandLine has ">>" or ProcessCommandLine has "tee -a" or ProcessCommandLine has "tee --append"
| extend IsSshKeygen = ProcessCommandLine has "ssh-keygen" or InitiatingProcessFileName has "ssh-keygen"
| extend IsCurlWget = InitiatingProcessFileName has_any ("curl", "wget") or ProcessCommandLine has_any ("curl", "wget")
| extend SuspicionScore = toint(IsRootSSHDir) + toint(IsEtcSSHKeys) + toint(IsRedirectAppend) + toint(IsSshKeygen) + toint(IsCurlWget)
| project TimeGenerated, DeviceName, AccountName, EventType, ActionType,
          FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, SHA256,
          IsRootSSHDir, IsEtcSSHKeys, IsRedirectAppend, IsSshKeygen, IsCurlWget, SuspicionScore
| sort by TimeGenerated desc

high severity high confidence

Data Sources

File: File Modification File: File Creation Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Legitimate system administrators adding their own SSH public keys to authorized remote servers during provisioning or key rotation
Configuration management tools (Ansible, Chef, Puppet, Terraform) that deploy authorized_keys as part of infrastructure-as-code workflows
Automated CI/CD pipelines that configure SSH keys for deployment accounts on build or staging servers
Cloud-init or user-data scripts that populate authorized_keys during virtual machine boot and initial provisioning

Splunk

spl

index=syslog sourcetype=syslog OR sourcetype=linux_secure OR sourcetype="linux:syslog"
| eval raw_msg=_raw
// Match file writes to authorized_keys via auditd or syslog
| where match(raw_msg, "authorized_keys") OR match(raw_msg, "authorized_keys2")
| rex field=raw_msg "(?i)(?P<proc_name>[a-zA-Z0-9_\-]+)\[(?P<pid>\d+)\]"
| rex field=raw_msg "(?i)(user|uid)[=:\s]+(?P<username>[a-zA-Z0-9_\-\.]+)"
| rex field=raw_msg "(?i)(cmd|command|exe)[=:\s]+(?P<command>[^\n]+)"
| eval IsRootSSHDir=if(match(raw_msg, "/root/\.ssh"), 1, 0)
| eval IsEtcSSHKeys=if(match(raw_msg, "/etc/ssh/keys-"), 1, 0)
| eval IsAppendRedirect=if(match(raw_msg, ">>|tee\s+-a|tee\s+--append"), 1, 0)
| eval IsSshKeygen=if(match(raw_msg, "ssh-keygen"), 1, 0)
| eval IsCurlWget=if(match(raw_msg, "curl|wget"), 1, 0)
| eval IsEchoWrite=if(match(raw_msg, "echo.+authorized_keys|printf.+authorized_keys"), 1, 0)
| eval SuspicionScore=IsRootSSHDir + IsEtcSSHKeys + IsAppendRedirect + IsSshKeygen + IsCurlWget + IsEchoWrite
| where SuspicionScore > 0
| table _time, host, username, proc_name, pid, raw_msg, IsRootSSHDir, IsEtcSSHKeys, IsAppendRedirect, IsSshKeygen, IsCurlWget, IsEchoWrite, SuspicionScore
| sort - _time

| appendcols
    [search index=syslog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
     file_path="*authorized_keys*"
    | eval IsRootSSHDir=if(match(TargetFilename, "/root/\.ssh"), 1, 0)
    | eval IsEtcSSHKeys=if(match(TargetFilename, "/etc/ssh/keys-"), 1, 0)
    | eval IsSshKeygen=if(match(Image, "ssh-keygen"), 1, 0)
    | table _time, host, User, Image, TargetFilename, CommandLine, IsRootSSHDir, IsEtcSSHKeys, IsSshKeygen]

high severity medium confidence

Data Sources

File: File Modification File: File Creation Process: Process Creation Linux auditd Linux syslog

Required Sourcetypes

syslog linux_secure linux:syslog

False Positives

Legitimate system administrators adding their own SSH public keys to authorized remote servers during provisioning or key rotation
Configuration management tools (Ansible, Chef, Puppet, Terraform) that deploy authorized_keys as part of infrastructure-as-code workflows
Automated CI/CD pipelines that configure SSH keys for deployment accounts on build or staging servers
Cloud-init or user-data scripts that populate authorized_keys during virtual machine boot and initial provisioning

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip AS source_ip,
  username,
  "Process Name" AS process_name,
  "File Path" AS file_path,
  "File Name" AS file_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process_name,
  QIDNAME(qid) AS event_name,
  LOGSOURCETYPENAME(logsourceid) AS source_type,
  CASE
    WHEN LOWER("File Path") LIKE '%/root/.ssh%' OR LOWER("Command") LIKE '%/root/.ssh%' THEN 1
    ELSE 0
  END AS IsRootSSHDir,
  CASE
    WHEN LOWER("File Path") LIKE '%/etc/ssh/keys-%' OR LOWER("Command") LIKE '%/etc/ssh/keys-%' THEN 1
    ELSE 0
  END AS IsEtcSSHKeys,
  CASE
    WHEN LOWER("Command") LIKE '%>>%' OR LOWER("Command") LIKE '%tee -a%' OR LOWER("Command") LIKE '%tee --append%' THEN 1
    ELSE 0
  END AS IsAppendRedirect,
  CASE
    WHEN LOWER("Command") LIKE '%ssh-keygen%' THEN 1
    ELSE 0
  END AS IsSshKeygen,
  CASE
    WHEN LOWER("Command") LIKE '%curl%' OR LOWER("Command") LIKE '%wget%' THEN 1
    ELSE 0
  END AS IsCurlWget,
  CASE
    WHEN LOWER("Parent Process Name") LIKE '%curl%' OR LOWER("Parent Process Name") LIKE '%wget%'
      OR LOWER("Parent Process Name") LIKE '%python%' OR LOWER("Parent Process Name") LIKE '%perl%'
      OR LOWER("Parent Process Name") LIKE '%ruby%' OR LOWER("Parent Process Name") LIKE '%netcat%'
      OR LOWER("Parent Process Name") LIKE '%ncat%' THEN 1
    ELSE 0
  END AS IsSuspiciousParent
FROM events
WHERE (
  LOWER("File Path") LIKE '%authorized_keys%'
  OR LOWER("File Name") LIKE 'authorized_keys%'
  OR LOWER("Command") LIKE '%authorized_keys%'
  OR LOWER(TEXT(payload)) LIKE '%authorized_keys%'
)
AND (
  LOGSOURCETYPENAME(logsourceid) ILIKE '%linux%'
  OR LOGSOURCETYPENAME(logsourceid) ILIKE '%syslog%'
  OR LOGSOURCETYPENAME(logsourceid) ILIKE '%auditd%'
  OR LOGSOURCETYPENAME(logsourceid) ILIKE '%unix%'
  OR LOGSOURCETYPENAME(logsourceid) ILIKE '%endpoint%'
)
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

IBM QRadar Linux OS DSM (auditd via Universal DSM or dedicated Linux DSM) Syslog from Linux endpoints routed to QRadar QRadar EDR integration (CrowdStrike Falcon, SentinelOne, Carbon Black via DSM) IBM QRadar on Cloud (QRoC) with Linux log source

Required Tables

events

False Positives

Configuration management systems running Ansible playbooks or Chef/Puppet agents that add SSH public keys to authorized_keys as part of routine user provisioning or access management workflows
Automated SSH key rotation scripts executed by IT security teams on a scheduled basis, particularly in environments with 90-day or shorter SSH key rotation policies
Cloud instance user-data scripts on AWS EC2, GCP Compute Engine, or Azure VM extensions that inject SSH keys from instance metadata into authorized_keys during initial boot and provisioning

Sumo Logic CSE

sql

_sourceCategory=*linux* OR _sourceCategory=*syslog* OR _sourceCategory=*auditd*
| where _raw matches /authorized_keys/
| parse regex "(?P<proc_name>[a-zA-Z0-9_-]+)\[(?P<pid>\d+)\]" nodrop
| parse regex "(?:user|uid)[=: ]+(?P<username>[a-zA-Z0-9_.@-]+)" nodrop
| parse regex "(?:cmd|command|exe|comm)[=: ]+\"?(?P<command>[^\"\n]+)\"?" nodrop
| parse regex "(?:path|name)[=: ]+\"?(?P<file_path>[^\"\n ]+authorized_keys[^\"\n ]*)\"?" nodrop
| if (_raw matches /\/root\/.ssh/, 1, 0) as IsRootSSHDir
| if (_raw matches /\/etc\/ssh\/keys-/, 1, 0) as IsEtcSSHKeys
| if (_raw matches />>|tee -a|tee --append/, 1, 0) as IsAppendRedirect
| if (_raw matches /ssh-keygen/, 1, 0) as IsSshKeygen
| if (_raw matches /curl|wget/, 1, 0) as IsCurlWget
| if (_raw matches /echo.*authorized_keys|printf.*authorized_keys/, 1, 0) as IsEchoWrite
| (IsRootSSHDir + IsEtcSSHKeys + IsAppendRedirect + IsSshKeygen + IsCurlWget + IsEchoWrite) as SuspicionScore
| where SuspicionScore > 0
| fields _messageTime, _sourceHost, username, proc_name, pid, command, file_path, IsRootSSHDir, IsEtcSSHKeys, IsAppendRedirect, IsSshKeygen, IsCurlWget, IsEchoWrite, SuspicionScore
| sort by _messageTime desc

high severity high confidence

Data Sources

Linux syslog via Sumo Logic Installed Collector (sourceCategory=*linux* or *syslog*) Auditd logs via Sumo Logic Installed Collector (sourceCategory=*auditd*) Sumo Logic Cloud SIEM (CSE) with normalized Linux schema Sumo Logic Kubernetes Collection from Linux worker nodes

Required Tables

Log data matching _sourceCategory=*linux*, *syslog*, or *auditd*

False Positives

Infrastructure-as-code tooling (Terraform remote-exec provisioners, Pulumi local commands, cloud-init scripts) that write SSH public keys to authorized_keys as part of VM provisioning at scale
SSH bastion host initialization scripts that pre-populate authorized_keys from a central key management service (HashiCorp Vault SSH secrets engine, AWS Systems Manager, CyberArk) on startup
Developers using ssh-copy-id, Visual Studio Code Remote SSH, or JetBrains Gateway to add their workstation public key to development servers or Kubernetes nodes for IDE-based remote development

Google Chronicle / SecOps

yaral

rule t1098_004_ssh_authorized_keys_file_write {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects file creation or modification events targeting SSH authorized_keys paths, indicating potential SSH key persistence. MITRE ATT&CK T1098.004 - Account Manipulation: SSH Authorized Keys."
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1098.004"
    reference = "https://attack.mitre.org/techniques/T1098/004/"
    severity = "HIGH"
    confidence = "HIGH"
    platform = "linux"
    data_source = "EDR, auditd, syslog"
    false_positives = "Configuration management automation, authorized IT admin key deployment, cloud-init provisioning"
    created = "2026-04-13"
    version = "1.0"

  events:
    ($e.metadata.event_type = "FILE_MODIFICATION" or
     $e.metadata.event_type = "FILE_CREATION")
    (re.regex($e.target.file.full_path, `\.ssh/authorized_keys2?$`) or
     re.regex($e.target.file.full_path, `/etc/ssh/keys-`) or
     $e.target.file.name = "authorized_keys" or
     $e.target.file.name = "authorized_keys2")

  condition:
    $e
}

rule t1098_004_ssh_authorized_keys_process_write {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects process launch events where shell utilities (echo, tee, ssh-keygen) or network downloaders (curl, wget) write to authorized_keys paths. Flags suspicious parent processes. MITRE ATT&CK T1098.004."
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1098.004"
    reference = "https://attack.mitre.org/techniques/T1098/004/"
    severity = "HIGH"
    confidence = "HIGH"
    platform = "linux"
    data_source = "EDR process telemetry"
    false_positives = "Ansible ssh key deployment, CI/CD key rotation pipelines"
    created = "2026-04-13"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.target.process.command_line, `authorized_keys`)
    (re.regex($e.target.process.command_line, `(echo|printf|tee|ssh-keygen|>>|curl|wget|cp |mv |dd |install )`) or
     re.regex($e.principal.process.file.full_path, `/(curl|wget|python[23]?|perl|ruby|nc|ncat|netcat|bash|sh|dash|zsh)$`))

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle with CrowdStrike Falcon EDR (UDM normalized process and file events) Chronicle with Carbon Black, SentinelOne, or Microsoft Defender for Endpoint via Chronicle ingestion Chronicle Linux host forwarder with auditd (FILE_MODIFICATION, PROCESS_LAUNCH UDM events) Google Chronicle via Google Cloud Security Command Center integration

Required Tables

UDM Events with event_type FILE_MODIFICATION UDM Events with event_type FILE_CREATION UDM Events with event_type PROCESS_LAUNCH

False Positives

Ansible ad-hoc commands or playbooks using the authorized_key module to deploy legitimate SSH public keys, which generates both PROCESS_LAUNCH (python/ansible) and FILE_MODIFICATION (authorized_keys) UDM events in rapid succession
Cloud-init and instance initialization scripts on AWS EC2 or GCP Compute Engine that inject SSH keys from instance metadata into authorized_keys at first boot, generating FILE_CREATION events from the cloud-init process
Security audit scripts that use cat or grep to read (not write) authorized_keys for compliance verification, which may trigger process-based detection if the command_line pattern match is too broad

CrowdStrike LogScale (CQL)

cql

// SSH Authorized Keys Modification — T1098.004
// Detects process command lines writing to authorized_keys paths via shell utilities or network downloaders

#event_simpleName in (ProcessRollup2, SyntheticProcessRollup2)
| CommandLine = /authorized_keys/i
| regex("(?i)(echo|printf|tee|>>|ssh-keygen|curl|wget|cp |mv |dd |install )", field=CommandLine)
| IsRootSSHDir := if(CommandLine = /\/root\/.ssh/i, 1, 0)
| IsEtcSSHKeys := if(CommandLine = /\/etc\/ssh\/keys-/i, 1, 0)
| IsRedirectAppend := if(CommandLine = />>|tee -a|tee --append/i, 1, 0)
| IsSshKeygen := if(CommandLine = /ssh-keygen/i, 1, 0)
| IsCurlWget := if(CommandLine = /curl|wget/i OR ParentBaseFileName = /^(curl|wget)$/i, 1, 0)
| IsSuspiciousParent := if(ParentBaseFileName = /^(bash|sh|dash|zsh|python[23]?|perl|ruby|nc|ncat|netcat)$/i, 1, 0)
| SuspicionScore := IsRootSSHDir + IsEtcSSHKeys + IsRedirectAppend + IsSshKeygen + IsCurlWget + IsSuspiciousParent
| SuspicionScore > 0
| sort(SuspicionScore, order=desc)
| select([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, SHA256HashData, IsRootSSHDir, IsEtcSSHKeys, IsRedirectAppend, IsSshKeygen, IsCurlWget, IsSuspiciousParent, SuspicionScore])

high severity high confidence

Data Sources

CrowdStrike Falcon EDR sensor (ProcessRollup2, SyntheticProcessRollup2 events) CrowdStrike Falcon LogScale (Humio) via NG-SIEM CrowdStrike Falcon Insight XDR event search CrowdStrike Falcon Foundry custom application queries

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

DevOps engineers running Ansible playbooks or custom shell scripts that legitimately add or rotate SSH public keys as part of server provisioning, generating ProcessRollup2 events from python/ansible-playbook with authorized_keys in the command context
Security hardening scripts that invoke ssh-keygen to generate new host keys or audit existing authorized_keys files for expired or unauthorized entries as part of scheduled compliance checks
Automated deployment pipelines (Capistrano, Fabric, or custom CI/CD shell scripts) that use SCP or SSH key operations to configure service account access on freshly provisioned Linux build agents or deployment targets

Last updated: 2026-04-13 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1098.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1098Account Manipulation

Related Sub-techniques

T1098.001Additional Cloud Credentials T1098.002Additional Email Delegate Permissions T1098.003Additional Cloud Roles T1098.005Device Registration T1098.006Additional Container Cluster Roles T1098.007Additional Local or Domain Groups

SSH Authorized Keys

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections