Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Persistence/ T1098.004

T1098.004SSH Authorized Keys

T1098.004 — SSH Authorized Keys is a MITRE ATT&CK technique in the Persistence tactic. Clankerusecase tracks 12 detection use cases covering it and 6 threat-intel articles citing it.

PersistencePrivilege Escalation
View on the matrix → Filter Detection Library MITRE official spec ↗
12Use cases
6Articles
0Sub-techniques
2Tactics
↑ Parent technique: T1098 · Account Manipulation

Use cases covering this technique (12)

GitHub SSH key added from suspicious IP Internal install · alerting DD [WEEKLY] Post-Auth Privilege Boundary Crossing on Edge/Management Appliances (low-priv -> admin within 10m) Internal exploit · alerting DSPDD Linux Auditd Possible Access Or Modification Of Sshd Config File ESCU actions · hunting P Linux Possible Access Or Modification Of sshd Config File ESCU actions · hunting P Linux Possible Ssh Key File Creation ESCU actions · hunting P Linux SSH Authorized Keys Modification ESCU actions · hunting P [LLM] File writes to sensitive paths by LangGraph Python/Node runtime Bespoke actions · hunting DSΣPDDCS [LLM] Worm-injected .github/setup.js commit with 'chore: update dependencies [skip ci]' message Bespoke actions · alerting DSΣPDD [LLM] Boxlite sandbox writes to SSH authorized_keys (post-exploit RCE pivot) Bespoke install · alerting DSΣPDDCS [LLM] Apache Camel JVM writing files to sensitive paths via camel-file (CVE-2026-47323 arbitrary file write) Bespoke install · hunting DSPDDCS [LLM] UAT-8616 post-compromise on SD-WAN: SSH key add, NETCONF edit, su root, XMRig miner.sh Bespoke actions · alerting DSPDDCS [LLM] npm postinstall SSH-backdoor chain: node spawning sudo ufw allow 22/tcp + chown ~/.ssh Bespoke install · alerting DSΣPDD

Articles citing this technique (6)

crit LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution art-32
crit Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign art-139
crit [GHSA / CRITICAL] CVE-2026-46703: Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host art-223
crit [GHSA / CRITICAL] CVE-2026-47323: Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering art-259
crit Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities art-302
crit Malicious Polymarket Bot Hides in Hijacked dev-protocol GitHub Org and Steals Wallet Keys art-433