Modification of OpenSSH Binaries

About

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Credential AccessTactic: PersistenceTactic: Lateral MovementData Source: Elastic EndgameData Source: Elastic DefendLanguage: kuery

Severity

medium

Risk Score

47

MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

↳ Create or Modify System Process (T1543)(opens in a new tab or window)

Credential Access (TA0006)(opens in a new tab or window)

↳ Modify Authentication Process (T1556)(opens in a new tab or window)

Lateral Movement (TA0008)(opens in a new tab or window)

↳ Remote Services (T1021)(opens in a new tab or window)

↳ Remote Service Session Hijacking (T1563)(opens in a new tab or window)

False Positive Examples

Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Query (Kibana Query Language)

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-endpoint.events.*endgame-*

Related Integrations

endpoint(opens in a new tab or window)

Query

event.category:file and host.os.type:linux and event.type:change and 
  process.name:(* and not (
    dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python* or
    apk or ansible-admin or systemd or python* or yum or nix-daemon or nix
    )
  ) and 
  (file.path:(/usr/bin/scp or 
                /usr/bin/sftp or 
                /usr/bin/ssh or 
                /usr/sbin/sshd) or 
  file.name:libkeyutils.so) and
  not process.executable:/usr/share/elasticsearch/*