Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / THREAT HUNT / LINUX / AUTHENTICATION

SSH Key Persistence

This note documents detection patterns related to SSH Key Persistence on Linux systems.

Direct Indicators

SourceGrep Pattern / ArtifactMeaningForensic ValueNotes
~/.ssh/authorized_keysNew key entrySSH key-based access grantedCriticalPrimary persistence artifact.
/root/.ssh/authorized_keysRoot key insertionDirect privileged persistenceCriticalExtremely high-value finding.
~/.ssh/authorized_keysMultiple unknown keysAdditional hidden access pathsCriticalCommon attacker redundancy.
~/.ssh/authorized_keysKey comment anomalySuspicious operator/tool commentsHighComments may reveal hostnames, emails, tooling.
~/.ssh/authorized_keysForced command entryRestricted but persistent accessHighMay hide backdoor behavior.
~/.ssh/authorized_keysfrom= restrictionControlled source IP persistenceHighSuggests deliberate stealth.
~/.ssh/authorized_keyscommand= prefixAuto-executed command upon loginCriticalCan embed stealth persistence logic.
auth.log / secureAccepted publickeySuccessful key authenticationCriticalConfirms key usage.
auth.log / secureuserauth_pubkeyPublic key auth flowHighUseful precursor and validation signal.
journalctlkey auth acceptanceJournald SSH key usage evidenceCriticalRequired where flat logs absent.
File timestampsrecent mtime on authorized_keysKey file modifiedCriticalStrong insertion timing pivot.
File ownership anomaliesincorrect owner/groupTampered key fileHighCommon attacker mistake.
auditdwrite to authorized_keysProcess-level persistence evidenceCriticalBest process attribution if enabled.
Shell historyecho >> authorized_keysInteractive key insertionCriticalHigh-confidence attacker action.

Indirect Indicators

IndicatorWhat To Look ForForensic ValueNotes
Key login appears after password loginPassword foothold followed by key authCriticalClassic stabilization sequence.
New account immediately has keyFresh user paired with SSH persistenceCriticalStrong malicious persistence pattern.
Root key appears without admin ticketUnexplained root access pathCriticalHigh severity.
Multiple identical keys across hostsLateral persistence reuseCriticalCross-host compromise signal.
Key comment references external machineForeign hostname/emailHighOften reveals operator environment.
Old account suddenly gains new keyDormant account reusedHighCommon stealth technique.
Key file timestamp mismatches home activitySilent insertionHighTimeline anomaly.
Authorized keys created where absent beforePersistence introducedCriticalEspecially suspicious on service users.
Key auth from new IPUnexpected source begins key loginHighInvestigate source trust.
Forced command present unexpectedlyHidden restricted backdoorCriticalOften missed in casual review.

Common Tools

ToolUsage
ssh-copy-idLegitimate or malicious key insertion helper.
echo >> ~/.ssh/authorized_keysCrude manual persistence.
cat key.pub >> authorized_keysCommon attacker insertion method.
scp / sftpKey transfer before insertion.
Stolen private keyEnables later re-entry without passwords.
Automation scriptsUsed by attackers after first foothold.

Relevant Artifacts

ArtifactPath / CommandForensic ValueNotes
Authorized keys~/.ssh/authorized_keysCriticalPrimary persistence file.
Root authorized keys/root/.ssh/authorized_keysCriticalHighest severity key persistence artifact.
SSH directory metadata~/.ssh/HighOwnership, mode, timestamps.
File timestampsstat authorized_keysCriticalModification timing.
SSH auth logs/var/log/auth.log, /var/log/secureCriticalKey usage evidence.
Journaldjournalctl -u ssh, journalctl -u sshdCriticalModern systems primary source.
Shell history.bash_history, .zsh_historyCriticalKey insertion commands.
Audit logs/var/log/audit/audit.logCriticalWrite attribution if enabled.
Home directory/home/<user>HighRelated persistence artifacts.
SSH daemon config/etc/ssh/sshd_configHighDetermines accepted auth methods.

MITRE ATT&CK References

  • T1098 Account Manipulation
  • T1098.004 SSH Authorized Keys
  • T1078 Valid Accounts
  • T1021.004 SSH

Decision Tree

  1. Does an authorized_keys file exist?

    • Enumerate all users and root.

  2. Is key content expected?

    • Compare against baseline, deployment tooling, known admin keys.

  3. When was key inserted?

    • Check mtime, ctime, nearby auth events.

  4. Was key used?

    • Search Accepted publickey.

  5. Which account owns the key?

    • Determine privilege level and business role.

  6. Pivot

    • Key comment → operator clues.
    • Source IP → login history.
    • Adjacent shell history → insertion path.

  7. Confirm persistence

    • Unknown key + suspicious login + privilege path = malicious persistence.

Example Detection Templates

Grep

find /home /root -name authorized_keys -type f 2>/dev/null

grep -R "ssh-rsa\|ssh-ed25519\|ecdsa" /home /root/.ssh 2>/dev/null

grep "Accepted publickey" /var/log/auth.log /var/log/secure 2>/dev/null

grep -R "authorized_keys" /home/*/.bash_history /root/.bash_history 2>/dev/null

Journalctl

journalctl -u ssh | grep "Accepted publickey"

journalctl -u sshd | grep "userauth_pubkey"

File Inspection

stat /root/.ssh/authorized_keys

find /home -name authorized_keys -exec stat {} \;

Sigma

title: Linux SSH Key Persistence
id: linux-ssh-key-persistence
status: experimental
description: Detects SSH key-based persistence indicators and public key authentication activity
logsource:
  product: linux
  service: auth
detection:
  selection:
    message|contains:
      - 'Accepted publickey'
      - 'userauth_pubkey'
  condition: selection
fields:
  - message
  - hostname
  - source_ip
falsepositives:
  - Legitimate administrator SSH key usage
level: high
tags:
  - attack.persistence
  - attack.t1098.004
  - attack.t1021.004

Mitigation & Hardening

Control AreaMitigationEffectivenessNotes
Key governanceBaseline all authorized keysCriticalUnknown keys should stand out immediately.
Root SSHDisable root key login where possibleCriticalRemoves highest-value persistence target.
Key rotationPeriodic review and rotationHighReduces stale persistence risk.
File integrity monitoringWatch .ssh/authorized_keysCriticalExcellent invariant detection.
Source restrictionsUse from= intentionally or monitor unexpected onesHighLimits key misuse.
LoggingPreserve public key auth logsHighNeeded to prove use.
Centralized accessPrefer managed SSH access systemsHighReduces unmanaged local key sprawl.

Fast Triage Checks

QuestionCommand / ArtifactWhy It Matters
Which users have authorized keys?find /home /root -name authorized_keysEstablish persistence surface.
Which key changed recently?stat authorized_keysTimeline anchor.
Was key used?grep Accepted publickeyConfirms operational access.
Does root have unknown key?inspect root key fileHighest severity check.
Was key inserted interactively?shell history grepAttribution clue.
Are key comments suspicious?inspect raw key lineOften reveals operator hints.

High Value Grep Strings

PatternWhy It Matters
Accepted publickeySuccessful key auth.
userauth_pubkeySSH key auth process evidence.
authorized_keysDirect persistence artifact reference.
ssh-rsaCommon key type.
ssh-ed25519Common modern key type.
command=Forced command persistence clue.
from=Restricted-source persistence clue.

Analyst Notes

ScenarioInterpretation
Password login then publickey login laterStrong attacker stabilization pattern.
Root authorized_keys modified recentlyCritical privileged persistence lead.
Unknown key on dormant accountSilent foothold likely.
Key comment references laptop/emailValuable operator clue.
Publickey success with no recent key changePossible older persistence or stolen pre-existing key.
Forced command inside keyHidden execution logic may exist.