title: SSH Authorized Keys (T1098.004)
id: df00tech-t1098-004
status: experimental
description: "Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. The authorized_keys file specifies SSH keys permitted for logging into a user account, typically found at <user-home>/.ssh/authorized_keys. Adversaries add their own public keys to this file, enabling passwordless SSH access using the corresponding private key. This technique is used by multiple threat actors including Earth Lusca, TeamTNT, and Salt Typhoon, as well as malware families like Skidmap, XCSSET, and Bundlore."
references:
  - https://attack.mitre.org/techniques/T1098/004/
  - https://df00tech.com/detections/T1098.004
author: df00tech
date: 2026/04/13
tags:
  - attack.t1098.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate system administrators adding their own SSH public keys to authorized remote servers during provisioning or key rotation
  - "Configuration management tools (Ansible, Chef, Puppet, Terraform) that deploy authorized_keys as part of infrastructure-as-code workflows"
  - Automated CI/CD pipelines that configure SSH keys for deployment accounts on build or staging servers
  - Cloud-init or user-data scripts that populate authorized_keys during virtual machine boot and initial provisioning
level: high