Description
Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys (or, on ESXi, /etc/ssh/keys-).(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value yes to ensure public key and RSA authentication are enabled, as well as modify the directive PermitRootLogin to the value yes to enable root authentication via SSH.(Citation: Broadcom ESXi SSH) The SSH config file is usually located under /etc/ssh/sshd_config.
Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It may also lead to privilege escalation where the virtual machine or instance has distinct permissions from the requesting user.
Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user.
SSH keys can also be added to accounts on network devices, such as with the ip ssh pubkey-chain Network Device CLI command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)
Platforms
Mitigations (3)
User Account ManagementM1018
In cloud environments, ensure that only users who explicitly require the permissions to update instance metadata or configurations can do so.
Restrict File and Directory PermissionsM1022
Restrict access to the authorized_keys file.
Disable or Remove Feature or ProgramM1042
Disable SSH if it is not necessary on a host or restrict SSH access for specific users/groups using /etc/ssh/sshd_config. Setting the PermitRootLogin directive to no will prevent the root user from logging in via SSH.(Citation: Broadcom ESXi SSH)
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) has dropped an SSH-authorized key in the `/root/.ssh` folder in order to access a compromised ser... |
| G1045 | Salt Typhoon | [Salt Typhoon](https://attack.mitre.org/groups/G1045) has added SSH authorized_keys under root or other users at the Linux level on compromised networ... |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has added RSA keys in <code>authorized_keys</code>.(Citation: Aqua TeamTNT August 2020)(Citation: Cis... |
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S0468 | Skidmap | Malware | [Skidmap](https://attack.mitre.org/software/S0468) has the ability to add the public key of its handlers to the <code>authorized_keys</code> file to m... |
| S0658 | XCSSET | Malware | [XCSSET](https://attack.mitre.org/software/S0658) will create an ssh key if necessary with the <code>ssh-keygen -t rsa -f $HOME/.ssh/id_rsa -P</code> ... |
| S0482 | Bundlore | Malware | [Bundlore](https://attack.mitre.org/software/S0482) creates a new key pair with <code>ssh-keygen</code> and drops the newly created user key in <code>... |
References
- Blachman, Y. (2020, April 22). Growing Abuse of SSH Keys: Commodity Malware Campaigns Now Equipped with SSH Capabilities. Retrieved June 24, 2020.
- Broadcom. (2024, December 12). Allowing SSH access to VMware vSphere ESXi/ESX hosts with public/private key authentication. Retrieved March 26, 2025.
- Chris Moberly. (2020, February 12). Tutorial on privilege escalation and post exploitation tactics in Google Cloud Platform environments. Retrieved April 1, 2022.
- Cisco. (2021, August 23). ip ssh pubkey-chain. Retrieved July 13, 2022.
- Cybereason Nocturnus. (2019, June 13). New Pervasive Worm Exploiting Linux Exim Server Vulnerability. Retrieved June 24, 2020.
- Google Cloud. (2022, March 31). gcloud compute instances add-metadata. Retrieved April 1, 2022.
- Microsoft. (n.d.). Virtual Machines - Update. Retrieved April 1, 2022.
- ssh.com. (n.d.). Authorized_keys File in SSH. Retrieved June 24, 2020.
Frequently Asked Questions
What is T1098.004 (SSH Authorized Keys)?
T1098.004 is a MITRE ATT&CK technique named 'SSH Authorized Keys'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to sec...
How can T1098.004 be detected?
Detection of T1098.004 (SSH Authorized Keys) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1098.004?
There are 3 documented mitigations for T1098.004. Key mitigations include: User Account Management, Restrict File and Directory Permissions, Disable or Remove Feature or Program.
Which threat groups use T1098.004?
Known threat groups using T1098.004 include: Earth Lusca, Salt Typhoon, TeamTNT.