Modification of Standard Authentication Module or Configuration

  1[metadata]
  2creation_date = "2020/12/21"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2024/05/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Adversaries may modify the standard authentication module for persistence via patching the normal authorization process
 11or modifying the login configuration to allow unauthorized access or elevate privileges.
 12"""
 13false_positives = [
 14    "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.",
 15]
 16from = "now-9m"
 17index = ["auditbeat-*", "logs-endpoint.events.*"]
 18language = "kuery"
 19license = "Elastic License v2"
 20name = "Modification of Standard Authentication Module or Configuration"
 21references = [
 22    "https://github.com/zephrax/linux-pam-backdoor",
 23    "https://github.com/eurialo/pambd",
 24    "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html",
 25    "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html",
 26]
 27risk_score = 47
 28rule_id = "93f47b6f-5728-4004-ba00-625083b3dcb0"
 29severity = "medium"
 30tags = [
 31    "Domain: Endpoint",
 32    "OS: macOS",
 33    "OS: Linux",
 34    "Use Case: Threat Detection",
 35    "Tactic: Credential Access",
 36    "Tactic: Persistence",
 37    "Data Source: Elastic Defend",
 38]
 39timestamp_override = "event.ingested"
 40type = "new_terms"
 41
 42query = '''
 43event.category:file and event.type:change and
 44  (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/* or /usr/lib64/security/*)) and
 45  process.executable:
 46    (* and
 47      not
 48      (
 49        /usr/libexec/packagekitd or
 50        /usr/bin/vim or
 51        /usr/libexec/xpcproxy or
 52        /usr/bin/bsdtar or
 53        /usr/local/bin/brew or
 54        "/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service"
 55      )
 56    ) and
 57  not file.path:
 58         (
 59           /tmp/snap.rootfs_*/pam_*.so or
 60           /tmp/newroot/lib/*/pam_*.so or
 61           /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or
 62           /tmp/newroot/usr/lib64/security/pam_*.so
 63         ) and
 64  not process.name:
 65         (
 66           yum or dnf or rsync or platform-python or authconfig or rpm or pdkg or apk or dnf-automatic or btrfs or
 67           dpkg or pam-auth-update or steam or platform-python3.6 or pam-config or microdnf or yum_install or yum-cron or
 68           systemd or containerd or pacman
 69         )
 70'''
 71
 72
 73[[rule.threat]]
 74framework = "MITRE ATT&CK"
 75[[rule.threat.technique]]
 76id = "T1543"
 77name = "Create or Modify System Process"
 78reference = "https://attack.mitre.org/techniques/T1543/"
 79
 80
 81[rule.threat.tactic]
 82id = "TA0003"
 83name = "Persistence"
 84reference = "https://attack.mitre.org/tactics/TA0003/"
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87[[rule.threat.technique]]
 88id = "T1556"
 89name = "Modify Authentication Process"
 90reference = "https://attack.mitre.org/techniques/T1556/"
 91
 92
 93[rule.threat.tactic]
 94id = "TA0006"
 95name = "Credential Access"
 96reference = "https://attack.mitre.org/tactics/TA0006/"
 97
 98[rule.new_terms]
 99field = "new_terms_fields"
100value = ["host.id", "process.executable", "file.path"]
101[[rule.new_terms.history_window_start]]
102field = "history_window_start"
103value = "now-7d"