T1098.004 IBM QRadar · QRadar

Detect SSH Authorized Keys in IBM QRadar

Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. The authorized_keys file specifies SSH keys permitted for logging into a user account, typically found at <user-home>/.ssh/authorized_keys. Adversaries add their own public keys to this file, enabling passwordless SSH access using the corresponding private key. This technique is used by multiple threat actors including Earth Lusca, TeamTNT, and Salt Typhoon, as well as malware families like Skidmap, XCSSET, and Bundlore.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1098 Account Manipulation
Sub-technique
T1098.004 SSH Authorized Keys
Canonical reference
https://attack.mitre.org/techniques/T1098/004/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip AS source_ip,
  username,
  "Process Name" AS process_name,
  "File Path" AS file_path,
  "File Name" AS file_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process_name,
  QIDNAME(qid) AS event_name,
  LOGSOURCETYPENAME(logsourceid) AS source_type,
  CASE
    WHEN LOWER("File Path") LIKE '%/root/.ssh%' OR LOWER("Command") LIKE '%/root/.ssh%' THEN 1
    ELSE 0
  END AS IsRootSSHDir,
  CASE
    WHEN LOWER("File Path") LIKE '%/etc/ssh/keys-%' OR LOWER("Command") LIKE '%/etc/ssh/keys-%' THEN 1
    ELSE 0
  END AS IsEtcSSHKeys,
  CASE
    WHEN LOWER("Command") LIKE '%>>%' OR LOWER("Command") LIKE '%tee -a%' OR LOWER("Command") LIKE '%tee --append%' THEN 1
    ELSE 0
  END AS IsAppendRedirect,
  CASE
    WHEN LOWER("Command") LIKE '%ssh-keygen%' THEN 1
    ELSE 0
  END AS IsSshKeygen,
  CASE
    WHEN LOWER("Command") LIKE '%curl%' OR LOWER("Command") LIKE '%wget%' THEN 1
    ELSE 0
  END AS IsCurlWget,
  CASE
    WHEN LOWER("Parent Process Name") LIKE '%curl%' OR LOWER("Parent Process Name") LIKE '%wget%'
      OR LOWER("Parent Process Name") LIKE '%python%' OR LOWER("Parent Process Name") LIKE '%perl%'
      OR LOWER("Parent Process Name") LIKE '%ruby%' OR LOWER("Parent Process Name") LIKE '%netcat%'
      OR LOWER("Parent Process Name") LIKE '%ncat%' THEN 1
    ELSE 0
  END AS IsSuspiciousParent
FROM events
WHERE (
  LOWER("File Path") LIKE '%authorized_keys%'
  OR LOWER("File Name") LIKE 'authorized_keys%'
  OR LOWER("Command") LIKE '%authorized_keys%'
  OR LOWER(TEXT(payload)) LIKE '%authorized_keys%'
)
AND (
  LOGSOURCETYPENAME(logsourceid) ILIKE '%linux%'
  OR LOGSOURCETYPENAME(logsourceid) ILIKE '%syslog%'
  OR LOGSOURCETYPENAME(logsourceid) ILIKE '%auditd%'
  OR LOGSOURCETYPENAME(logsourceid) ILIKE '%unix%'
  OR LOGSOURCETYPENAME(logsourceid) ILIKE '%endpoint%'
)
ORDER BY starttime DESC
LAST 24 HOURS
high severity medium confidence

Detects SSH authorized_keys modification events in IBM QRadar by querying normalized Linux/auditd/syslog sources for file path, file name, and command references to authorized_keys. Uses CASE expressions to compute per-row risk indicators: root SSH directory access, /etc/ssh/keys- path, append redirect operators, ssh-keygen invocation, curl/wget downloaders, and suspicious parent process names. Requires normalized custom event properties (Command, File Path, File Name, Parent Process Name) mapped from log sources via QRadar DSM.

Data Sources

IBM QRadar Linux OS DSM (auditd via Universal DSM or dedicated Linux DSM)Syslog from Linux endpoints routed to QRadarQRadar EDR integration (CrowdStrike Falcon, SentinelOne, Carbon Black via DSM)IBM QRadar on Cloud (QRoC) with Linux log source

Required Tables

events

False Positives & Tuning

  • Configuration management systems running Ansible playbooks or Chef/Puppet agents that add SSH public keys to authorized_keys as part of routine user provisioning or access management workflows
  • Automated SSH key rotation scripts executed by IT security teams on a scheduled basis, particularly in environments with 90-day or shorter SSH key rotation policies
  • Cloud instance user-data scripts on AWS EC2, GCP Compute Engine, or Azure VM extensions that inject SSH keys from instance metadata into authorized_keys during initial boot and provisioning
Download portable Sigma rule (.yml)

Other platforms for T1098.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Append Adversary SSH Key to Root authorized_keys

    Expected signal: auditd SYSCALL records for open()/write() on /root/.ssh/authorized_keys if auditd watch is configured. syslog entries from auditd. DeviceFileEvents (if MDE for Linux deployed): FileCreated or FileModified event for FileName=authorized_keys with FolderPath=/root/.ssh. DeviceProcessEvents: Process Create for ssh-keygen and echo/bash with ProcessCommandLine containing 'authorized_keys'. Shell history entry in /root/.bash_history.

  2. Test 2Add SSH Key via curl Download

    Expected signal: DeviceProcessEvents: Process Create for curl with ProcessCommandLine containing 'authorized_keys'. DeviceNetworkEvents: Network connection from curl to 127.0.0.1:18080 (Sysmon Event ID 3 if Sysmon for Linux). DeviceFileEvents: FileModified on authorized_keys with InitiatingProcessFileName=bash or sh. Shell history entries for curl and python3 commands.

  3. Test 3Modify SSH Config to Enable Root Login and Key Auth

    Expected signal: auditd SYSCALL records for open()/write() on /etc/ssh/sshd_config if auditd watch is configured. DeviceFileEvents (if MDE for Linux): FileModified for FileName=sshd_config in FolderPath=/etc/ssh. DeviceProcessEvents: Process Create for sed with ProcessCommandLine containing 'sshd_config' and 'PermitRootLogin'. Shell history entries for sed and grep commands.

  4. Test 4Add SSH Key to Non-Root User Account

    Expected signal: DeviceFileEvents: FileCreated or FileModified for FileName=authorized_keys under /home/<user>/.ssh/. DeviceProcessEvents: Process Create for useradd, ssh-keygen, cat with relevant command lines. auditd records for file operations on the authorized_keys path. Shell history for all commands executed.

  5. Test 5Simulate ESXi authorized_keys Modification

    Expected signal: DeviceFileEvents: FileCreated for FileName=authorized_keys with FolderPath containing /etc/ssh/keys-. DeviceProcessEvents: Process Create for ssh-keygen and cat with ProcessCommandLine containing the ESXi key path. On actual ESXi systems, ESXCLI audit logs and /var/log/auth.log entries would also be generated.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1098.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1098Account Manipulation

Related Sub-techniques

T1098.001Additional Cloud CredentialsT1098.002Additional Email Delegate PermissionsT1098.003Additional Cloud RolesT1098.005Device RegistrationT1098.006Additional Container Cluster RolesT1098.007Additional Local or Domain Groups

Related Techniques

T1098Account ManipulationT1098.001Additional Cloud CredentialsT1021.004SSHT1059.004Unix ShellT1105Ingress Tool TransferT1053.003CronT1136.001Local AccountT1078.003Local AccountsT1556Modify Authentication ProcessT1070.006Timestomp

Same Tactic: Persistence

Popular Detections