MITRE ATT&CK Technique
Description
Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <code><user-home>/.ssh/authorized_keys</code> (or, on ESXi, `/etc/ssh/keys-<username>/authorized_keys`).(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives `PubkeyAuthentication` and `RSAAuthentication` to the value `yes` to ensure public key and RSA authentication are enabled, as well as modify the directive `PermitRootLogin` to the value `yes` to enable root authentication via SSH.(Citation: Broadcom ESXi SSH) The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>. Adversaries may modify SSH <code>authorized_keys</code> files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It may also lead to privilege escalation where the virtual machine or instance has distinct permissions from the requesting user. Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. SSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-06-24T12:42:35.144Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may modify the SSH <code>authorized_keys</code> '
'file to maintain persistence on a victim host. Linux '
'distributions, macOS, and ESXi hypervisors commonly use '
'key-based authentication to secure the authentication process '
'of SSH sessions for remote management. The '
'<code>authorized_keys</code> file in SSH specifies the SSH '
'keys that can be used for logging into the user account for '
'which the file is configured. This file is usually found in '
"the user's home directory under "
'<code><user-home>/.ssh/authorized_keys</code> (or, on '
'ESXi, `/etc/ssh/keys-<username>/authorized_keys`).(Citation: '
'SSH Authorized Keys) Users may edit the system’s SSH config '
'file to modify the directives `PubkeyAuthentication` and '
'`RSAAuthentication` to the value `yes` to ensure public key '
'and RSA authentication are enabled, as well as modify the '
'directive `PermitRootLogin` to the value `yes` to enable root '
'authentication via SSH.(Citation: Broadcom ESXi SSH) The SSH '
'config file is usually located under '
'<code>/etc/ssh/sshd_config</code>.\n'
'\n'
'Adversaries may modify SSH <code>authorized_keys</code> files '
'directly with scripts or shell commands to add their own '
'adversary-supplied public keys. In cloud environments, '
'adversaries may be able to modify the SSH authorized_keys '
'file of a particular virtual machine via the command line '
'interface or rest API. For example, by using the Google Cloud '
'CLI’s “add-metadata” command an adversary may add SSH keys to '
'a user account.(Citation: Google Cloud Add '
'Metadata)(Citation: Google Cloud Privilege Escalation) '
'Similarly, in Azure, an adversary may update the '
'authorized_keys file of a virtual machine via a PATCH request '
'to the API.(Citation: Azure Update Virtual Machines) This '
'ensures that an adversary possessing the corresponding '
'private key may log in as an existing user via SSH.(Citation: '
'Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) '
'It may also lead to privilege escalation where the virtual '
'machine or instance has distinct permissions from the '
'requesting user.\n'
'\n'
'Where authorized_keys files are modified via cloud APIs or '
'command line interfaces, an adversary may achieve privilege '
'escalation on the target virtual machine if they add a key to '
'a higher-privileged user. \n'
'\n'
'SSH keys can also be added to accounts on network devices, '
'such as with the `ip ssh pubkey-chain` [Network Device '
'CLI](https://attack.mitre.org/techniques/T1059/008) '
'command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)',
'external_references': [{'external_id': 'T1098.004',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1098/004'},
{'description': 'Blachman, Y. (2020, April 22). '
'Growing Abuse of SSH Keys: Commodity '
'Malware Campaigns Now Equipped with '
'SSH Capabilities. Retrieved June 24, '
'2020.',
'source_name': 'Venafi SSH Key Abuse',
'url': 'https://www.venafi.com/blog/growing-abuse-ssh-keys-commodity-malware-campaigns-now-equipped-ssh-capabilities'},
{'description': 'Broadcom. (2024, December 12). '
'Allowing SSH access to VMware '
'vSphere ESXi/ESX hosts with '
'public/private key authentication. '
'Retrieved March 26, 2025.',
'source_name': 'Broadcom ESXi SSH',
'url': 'https://knowledge.broadcom.com/external/article/313767/allowing-ssh-access-to-vmware-vsphere-es.html'},
{'description': 'Chris Moberly. (2020, February 12). '
'Tutorial on privilege escalation and '
'post exploitation tactics in Google '
'Cloud Platform environments. '
'Retrieved April 1, 2022.',
'source_name': 'Google Cloud Privilege Escalation',
'url': 'https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/'},
{'description': 'Cisco. (2021, August 23). ip ssh '
'pubkey-chain. Retrieved July 13, '
'2022.',
'source_name': 'cisco_ip_ssh_pubkey_ch_cmd',
'url': 'https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478'},
{'description': 'Cybereason Nocturnus. (2019, June '
'13). New Pervasive Worm Exploiting '
'Linux Exim Server Vulnerability. '
'Retrieved June 24, 2020.',
'source_name': 'Cybereason Linux Exim Worm',
'url': 'https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability'},
{'description': 'Google Cloud. (2022, March 31). '
'gcloud compute instances '
'add-metadata. Retrieved April 1, '
'2022.',
'source_name': 'Google Cloud Add Metadata',
'url': 'https://cloud.google.com/sdk/gcloud/reference/compute/instances/add-metadata'},
{'description': 'Microsoft. (n.d.). Virtual Machines '
'- Update. Retrieved April 1, 2022.',
'source_name': 'Azure Update Virtual Machines',
'url': 'https://docs.microsoft.com/en-us/rest/api/compute/virtual-machines/update'},
{'description': 'ssh.com. (n.d.). Authorized_keys '
'File in SSH. Retrieved June 24, '
'2020.',
'source_name': 'SSH Authorized Keys',
'url': 'https://www.ssh.com/ssh/authorized_keys/'}],
'id': 'attack-pattern--6b57dc31-b814-4a03-8706-28bc20d739c4',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:48:55.005Z',
'name': 'SSH Authorized Keys',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Tony Lambert, Red Canary',
'Dror Alon, Palo Alto Networks',
'Or Kliger, Palo Alto Networks',
'Austin Clark, @c2defense',
'Arad Inbar, Fidelis Security'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'IaaS', 'Network Devices', 'ESXi'],
'x_mitre_version': '1.4'}