From ec675bfb8dcd46d61aea0f9244867d5875a57429 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Tue, 14 Feb 2023 20:36:27 -0500
Subject: [PATCH] New detector: unexpected ssh-authorized-keys

---
 .../unexpected-ssh-authorized-keys.sql        | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 detection/persistence/unexpected-ssh-authorized-keys.sql

diff --git a/detection/persistence/unexpected-ssh-authorized-keys.sql b/detection/persistence/unexpected-ssh-authorized-keys.sql
new file mode 100644
index 0000000..f60372a
--- /dev/null
+++ b/detection/persistence/unexpected-ssh-authorized-keys.sql
@@ -0,0 +1,29 @@
+-- Find unexpected SSH authorized keys
+--
+-- references:
+--   * https://socradar.io/linux-malware-rapperbot-brute-forcing-ssh-servers/
+--   * https://www.countercraftsec.com/blog/dota3-malware-again-and-again/
+--   * https://attack.mitre.org/techniques/T1098/004/
+--   * https://www.trendmicro.com/en_us/research/21/j/actors-target-huawei-cloud-using-upgraded-linux-malware-.html
+--
+-- tags: persistent state filesystem
+-- platform: posix
+SELECT file.path,
+    file.uid,
+    file.gid,
+    file.atime,
+    file.mtime,
+    file.ctime,
+    file.size,
+    hash.sha256,
+    users.username,
+    users.uid AS u_uid
+FROM users
+    JOIN file ON file.path = users.directory || "/.ssh/authorized_keys"
+    JOIN hash ON file.path = hash.path
+WHERE file.uid != u_uid
+    OR file.uid < 500
+    OR (
+        file.path NOT LIKE '/home/%'
+        AND file.path NOT LIKE '/Users/%'
+    )
\ No newline at end of file