T1098.004 Account Manipulation — SSH Authorized Keys File Modification

production-ready status: experimental level: medium

Creation or modification of an SSH authorized_keys file. Adversaries add their own public key to maintain persistent access after initial compromise — a one-line write that survives credential rotation and (on many estates) every patch cycle. Authored from the thrunt.me detection-gap queue (corpus signal with zero SigmaHQ/thrunt tag coverage for T1098.004 at authoring time); analyst-reviewed 2026-06-11.

Rule ID

f430d288-7ffd-5675-b9e4-5276a2a5faf0

Status

experimental

Level

medium

Log source

category: file_event · product: linux

Date

2026-06-11

Modified

2026-06-11

ATT&CK

T1098.004 (signal rollup)

Canonical YAML

t1098-004-ssh-authorized-keys-write.yml

References

• https://thrunt.me/sigma/t1098-004-ssh-authorized-keys-write.yml
• https://thrunt.me/corpus/attck/T1098.004/
• https://attack.mitre.org/techniques/T1098/004/

False positives

• Legitimate user key provisioning (ssh-copy-id, manual key rotation).
• Configuration management (Ansible/Puppet/Salt) and cloud-init key deployment at instance boot.
• Home-directory backup/restore operations touching dotfiles.

Rule YAML

title: 'T1098.004 Account Manipulation — SSH Authorized Keys File Modification'
id: 'f430d288-7ffd-5675-b9e4-5276a2a5faf0'
status: 'experimental'
description: 'Creation or modification of an SSH authorized_keys file. Adversaries add their own public key to maintain persistent access after initial compromise — a one-line write that survives credential rotation and (on many estates) every patch cycle. Authored from the thrunt.me detection-gap queue (corpus signal with zero SigmaHQ/thrunt tag coverage for T1098.004 at authoring time); analyst-reviewed 2026-06-11.'
references:
    - 'https://thrunt.me/sigma/t1098-004-ssh-authorized-keys-write.yml'
    - 'https://thrunt.me/corpus/attck/T1098.004/'
    - 'https://attack.mitre.org/techniques/T1098/004/'
author: 'Applied Cybernetics Group (via thrunt.me)'
date: '2026-06-11'
modified: '2026-06-11'
tags:
    - 'attack.persistence'
    - 'attack.t1098.004'
    - 'tlp.clear'
logsource:
    category: 'file_event'
    product: 'linux'
# NOTE: file_event on Linux assumes Sysmon-for-Linux (FileCreate). On pure-auditd estates, re-shape as a -w path watch (service: auditd, type/name fields) instead.
# NOTE: Consider excluding Image paths for config management (ansible/puppet/salt agents) and cloud-init after baselining — exclusions belong in a filter_* selection, not deletion of the broad match.
detection:
    selection:
        TargetFilename|endswith:
            - '/.ssh/authorized_keys'
            - '/.ssh/authorized_keys2'
    condition: 'selection'
falsepositives:
    - 'Legitimate user key provisioning (ssh-copy-id, manual key rotation).'
    - 'Configuration management (Ansible/Puppet/Salt) and cloud-init key deployment at instance boot.'
    - 'Home-directory backup/restore operations touching dotfiles.'
level: 'medium'

The YAML file above is the canonical artifact — machine consumers should subscribe via /sigma/manifest.json and fetch t1098-004-ssh-authorized-keys-write.yml directly. This page is a rendered view, regenerated daily.