Potential Redis CONFIG SET SSH Authorized Key Injection

Last updated 7 days ago on 2026-06-11

Created 7 days ago on 2026-06-11

About

This rule detects attempts to abuse Redis CONFIG SET commands to inject SSH authorized keys on Linux hosts. Attackers targeting unauthenticated Redis instances issue CONFIG SET dir to an SSH directory such as /root/.ssh, set the filename to authorized_keys via CONFIG SET dbfilename, write an attacker-controlled public key via SET, and call BGSAVE to flush it to disk, establishing persistent SSH access as root.

Tags

Domain: NetworkUse Case: Threat DetectionTactic: PersistenceTactic: Initial AccessData Source: Network Packet CaptureLanguage: eql

Severity

high

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

↳ Account Manipulation (T1098)(external, opens in a new tab or window)

Initial Access (TA0001)(external, opens in a new tab or window)

↳ Exploit Public-Facing Application (T1190)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-network_traffic.redis*
Related Integrations: network_traffic(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗network where data_stream.dataset == "network_traffic.redis" and
  (
    (
      network_traffic.redis.query like~ "*CONFIG SET dir*" and
      network_traffic.redis.query like~ "*/.ssh*"
    ) or
    (
      network_traffic.redis.query like~ "*CONFIG SET dbfilename*" and
      network_traffic.redis.query like~ "*authorized_keys*"
    )
  )

Install detection rules in Elastic Security

Detect Potential Redis CONFIG SET SSH Authorized Key Injection in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).