ssh-keygen

ssh-keygen is a tool for creating new authentication key pairs for SSH (Secure Shell). ssh-keygen holds the "com.apple.security.cs.disable-library-validation" entitlement and is capable of loading arbitrary libraries without requiring signed code.

Author: Leo Pitt (@_D00mfist) Created: 2023-05-22

Execution Defense Evasion dylib

Paths

/usr/bin/ssh-keygen

Example Use Cases

Execute malicious dynamic library (.dylib) from standard input

An attacker can execute a malicious .dylib from stdin by echoing a load command and piping to tclsh. This will bypass code signing requirements.

ssh-keygen -D /private/tmp/evil.dylib

Execution Defense Evasion dylib

Detections

Recommendations included in resource below. No formal detection content at this time.

Resources

Generate Keys or Generate Dylib Loads?