SSH Authorized Keys File Deletion

Last updated 10 days ago on 2025-02-21

Created 10 days ago on 2025-02-21

About

This rule detects the deletion of the authorized_keys or authorized_keys2 files on Linux systems. These files are used to store public keys for SSH authentication. Unauthorized deletion of these files can be an indicator of an attacker removing access to the system, and may be a precursor to further malicious activity.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Defense EvasionData Source: Elastic DefendLanguage: eql

Severity

low

Risk Score

MITRE ATT&CK™

Defense Evasion (TA0005)(opens in a new tab or window)

↳ Indicator Removal (T1070)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.process*
Related Integrations: endpoint(opens in a new tab or window)
Query

file where host.os.type == "linux" and event.type == "deletion" and file.name in ("authorized_keys", "authorized_keys2") and
not (
  process.executable in (
    "/usr/bin/google_guest_agent", "/usr/bin/dockerd", "/bin/dockerd", "/usr/bin/containerd"
  ) or
  process.executable like~ "/nix/store/*"
)

Install detection rules in Elastic Security

Detect SSH Authorized Keys File Deletion in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).