The persistence weeper
The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured.
Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).Īdversaries may modify the SSH authorized_keys file to maintain persistence on a victim host.
The persistence weeper update#
For example, they may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.
These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.Īdversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.Īdversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account.Īn adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. Live Version Techniques Techniques: 19 IDĪdversaries may manipulate accounts to maintain access to victim systems.