ssh-keygen #

Created by Leo Pitt (@_D00mfist)

Description ##

ssh-keygen is a tool for creating new authentication key pairs for SSH (Secure Shell). ssh-keygen holds the “com.apple.security.cs.disable-library-validation” entitlement and is capable of loading arbitrary libraries without requiring signed code.

Paths ##

• /usr/bin/ssh-keygen

Use Cases ##

Execute malicious dynamic library (.dylib) from standard input ##

An attacker can execute a malicious .dylib from stdin by echoing a load command and piping to tclsh. This will bypass code signing requirements.

ssh-keygen -D /private/tmp/evil.dylib

Detections ##

• Recommendations included in resource below. No formal detection content at this time.

Resources ##

• Generate Keys or Generate Dylib Loads?