This artifact will parse ~/.ssh/authorized_keys and ~/.ssh/id_*.pub looking for the command option to detect potential persistence
name: Linux.Detection.SSHKeyFileCmd
author: alternate
description: |
This artifact will parse ~/.ssh/authorized_keys and ~/.ssh/id_*.pub looking for the command option
to detect potential persistence
reference:
- https://github.com/4ltern4te/velociraptor-contrib/blob/main/Linux.Detection.SSHKeyFileCmd/README.md
- https://blog.thc.org/infecting-ssh-public-keys-with-backdoors
- https://man.openbsd.org/OpenBSD-current/man8/sshd.8#AUTHORIZED_KEYS_FILE_FORMAT
type: CLIENT
precondition: SELECT OS From info() where OS = "linux"
parameters:
- name: SSHKeyFilesGlob
default: |
["/{root,home/*}/.ssh/authorized_keys","/{root,home/*}/.ssh/authorized_keys2","/{root,home/*}/.ssh/*.pub"]
- name: CommandRegex
description: Command option regex
default: (?P<CMD>command=".*?")
type: regex
sources:
- name: findSSHAuthKeyCmd
query: |
LET files = SELECT OSPath FROM glob(globs=parse_json_array(data=SSHKeyFilesGlob))
SELECT OSPath, CMD FROM foreach(
row=files,
query={
SELECT OSPath, CMD FROM parse_records_with_regex(file=OSPath, regex=CommandRegex)
}
)