This note documents detection patterns related to Authorized Keys Backdoor on Linux systems.
Direct Indicators
| Source | Grep Pattern / Artifact | Meaning | Forensic Value | Notes |
|---|
| SSH artifact | new entry in authorized_keys | SSH persistence | Critical | Most common Linux persistence path. |
| Shell history | echo ssh-rsa >> authorized_keys | Manual key insertion | Critical | Direct attacker action. |
| Shell history | cat key.pub >> authorized_keys | Public key append | Critical | Strong persistence evidence. |
| Shell history | mkdir -p ~/.ssh | SSH path creation | High | Often precedes backdoor insertion. |
| Shell history | chmod 600 authorized_keys | Permission normalization | High | Common post-insertion step. |
| File timestamps | recent authorized_keys modification | Timeline anchor | Critical | High-value forensic truth. |
| Multiple unknown keys | unauthorized persistence | Critical | Immediate anomaly. | |
| Root key insertion | privileged persistence | Critical | Highest severity. | |
| Service account key insertion | stealth persistence | Critical | Often overlooked foothold. | |
auditd | write to .ssh/authorized_keys | Process attribution | Critical | Best attribution if enabled. |
| Journald | ssh login with new key | Runtime proof | Critical | Confirms operational use. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|
| Key inserted after sudo/root shell | Persistence after escalation | Critical | Strong hostile sequence. |
Hidden .ssh path created suddenly | New persistence location | Critical | Strong anomaly. |
| Same key across many hosts | Lateral persistence | Critical | Strong campaign signal. |
| Dormant account gains key | Silent persistence | Critical | Common attacker behavior. |
| Key added then history cleared | Cleanup discipline | High | Mature operator clue. |
Common Tools
| Tool | Usage |
|---|
echo | Direct key append. |
cat | Append public key. |
chmod | Fix SSH permissions. |
ssh-copy-id | Legit / attacker-assisted insertion. |
Relevant Artifacts
| Artifact | Path / Command | Forensic Value | Notes |
|---|
| Authorized keys | ~/.ssh/authorized_keys | Critical | Primary artifact. |
| SSH dir | ~/.ssh/ | Critical | Supporting context. |
| File timestamps | stat authorized_keys | Critical | Timeline truth. |
| Shell history | .bash_history | Critical | Insert command evidence. |
| Audit logs | /var/log/audit/audit.log | Critical | Attribution. |
MITRE ATT&CK References
- T1098 Account Manipulation
- T1098.004 SSH Authorized Keys
Decision Tree
- Was key added?
- Which account?
- When modified?
- Was key used afterward?
- Same key elsewhere?
Example Detection Templates
Grep
grep -R "authorized_keys\|ssh-rsa\|ssh-ed25519" /home/*/.bash_history /root/.bash_history 2>/dev/null
Journalctl
journalctl | grep ssh
File Inspection
find /home /root -name authorized_keys -exec stat {} \; 2>/dev/null
Sigma
title: Linux Authorized Keys Backdoor
id: linux-authorized-keys-backdoor
status: experimental
description: Detects suspicious SSH authorized_keys modification
logsource:
product: linux
detection:
selection_keywords:
message|contains:
- 'authorized_keys'
- 'ssh-rsa'
condition: selection_keywords
level: high
tags:
- attack.persistence
- attack.t1098.004
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|
| Key review | Baseline authorized keys | Critical | Detects rogue entries. |
| Auditd | Track writes to .ssh | High | Strong attribution. |
| MFA | Reduce key-only persistence impact | High | Limits stealth login. |
