Unexpected Ssh Authorized Keys

osquery

Find unexpected SSH authorized keys

Author

Chainguard

Published

January 29, 2025

Description

ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.

Query

-- Find unexpected SSH authorized keys
--
-- references:
--   * https://socradar.io/linux-malware-rapperbot-brute-forcing-ssh-servers/
--   * https://www.countercraftsec.com/blog/dota3-malware-again-and-again/
--   * https://attack.mitre.org/techniques/T1098/004/
--   * https://www.trendmicro.com/en_us/research/21/j/actors-target-huawei-cloud-using-upgraded-linux-malware-.html
--
-- tags: persistent state filesystem
-- platform: posix
SELECT
  file.path,
  file.uid,
  file.gid,
  file.atime,
  file.mtime,
  file.ctime,
  file.size,
  hash.sha256,
  users.username,
  users.uid AS u_uid
FROM
  users
  JOIN file ON file.path = users.directory || "/.ssh/authorized_keys"
  JOIN hash ON file.path = hash.path
WHERE
  file.size > 0
  AND (
    file.uid != u_uid
    OR file.uid < 500
    OR (
      file.path NOT LIKE '/home/%'
      AND file.path NOT LIKE '/Users/%'
    )
  )

tags: SStagSS

Reference

https://github.com/chainguard-dev/osquery-defense-kit