Modification of Standard Authentication Module or Configuration
Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/12/21"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Adversaries may modify the standard authentication module for persistence via patching the normal authorization process
11or modifying the login configuration to allow unauthorized access or elevate privileges.
12"""
13false_positives = [
14 "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.",
15]
16from = "now-9m"
17index = ["auditbeat-*", "logs-endpoint.events.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Modification of Standard Authentication Module or Configuration"
21references = [
22 "https://github.com/zephrax/linux-pam-backdoor",
23 "https://github.com/eurialo/pambd",
24 "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html",
25 "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html",
26]
27risk_score = 47
28rule_id = "93f47b6f-5728-4004-ba00-625083b3dcb0"
29severity = "medium"
30tags = [
31 "Domain: Endpoint",
32 "OS: macOS",
33 "OS: Linux",
34 "Use Case: Threat Detection",
35 "Tactic: Credential Access",
36 "Tactic: Persistence",
37 "Data Source: Elastic Defend",
38 "Resources: Investigation Guide",
39]
40timestamp_override = "event.ingested"
41type = "new_terms"
42
43query = '''
44event.category:file and event.type:change and
45 (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/* or /usr/lib64/security/*)) and
46 process.executable:
47 (* and
48 not
49 (
50 /usr/libexec/packagekitd or
51 /usr/bin/vim or
52 /usr/libexec/xpcproxy or
53 /usr/bin/bsdtar or
54 /usr/local/bin/brew or
55 "/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service"
56 )
57 ) and
58 not file.path:
59 (
60 /tmp/snap.rootfs_*/pam_*.so or
61 /tmp/newroot/lib/*/pam_*.so or
62 /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or
63 /tmp/newroot/usr/lib64/security/pam_*.so
64 ) and
65 not process.name:
66 (
67 yum or dnf or rsync or platform-python or authconfig or rpm or pdkg or apk or dnf-automatic or btrfs or
68 dpkg or pam-auth-update or steam or platform-python3.6 or pam-config or microdnf or yum_install or yum-cron or
69 systemd or containerd or pacman
70 )
71'''
72note = """## Triage and analysis
73
74> **Disclaimer**:
75> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
76
77### Investigating Modification of Standard Authentication Module or Configuration
78
79Authentication modules, such as PAM (Pluggable Authentication Modules), are crucial for managing user authentication in Linux and macOS environments. Adversaries may exploit these by altering module files or configurations to gain unauthorized access or escalate privileges. The detection rule identifies suspicious changes to these modules, excluding legitimate processes and paths, to flag potential unauthorized modifications.
80
81### Possible investigation steps
82
83- Review the specific file that triggered the alert by examining the file.name and file.path fields to determine if it is a known authentication module or configuration file.
84- Investigate the process that made the change by analyzing the process.executable field to identify if it is a legitimate process or potentially malicious.
85- Check the process.name field to see if the process is one of the excluded legitimate processes, which might indicate a false positive.
86- Look into recent system changes or updates that might have affected authentication modules, focusing on the time frame around the alert.
87- Correlate the alert with other security events or logs to identify any related suspicious activities or patterns, such as unauthorized access attempts or privilege escalation.
88- Verify the integrity of the affected authentication module or configuration file by comparing it with a known good version or using file integrity monitoring tools.
89
90### False positive analysis
91
92- Package management operations such as updates or installations can trigger false positives. Exclude processes like yum, dnf, rpm, and dpkg from the detection rule to prevent these benign activities from being flagged.
93- System maintenance tasks often involve legitimate changes to authentication modules. Exclude processes like authconfig, pam-auth-update, and pam-config to avoid false alerts during routine maintenance.
94- Development and testing environments may frequently modify authentication modules for testing purposes. Consider excluding paths like /tmp/snap.rootfs_*/pam_*.so and /tmp/newroot/lib/*/pam_*.so to reduce noise from these environments.
95- Backup and synchronization tools such as rsync can cause false positives when they interact with authentication module files. Exclude rsync from the detection rule to prevent these non-threatening activities from being flagged.
96- Containerized environments may have different paths and processes that interact with authentication modules. Exclude processes like containerd and paths like /tmp/newroot/usr/lib64/security/pam_*.so to account for these variations.
97
98### Response and remediation
99
100- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
101- Conduct a thorough review of the modified authentication module or configuration file to identify unauthorized changes and revert them to their original state using a known good backup.
102- Reset passwords for all user accounts on the affected system, prioritizing accounts with elevated privileges, to mitigate potential credential compromise.
103- Perform a comprehensive scan of the system for additional indicators of compromise, such as unauthorized user accounts or scheduled tasks, and remove any malicious artifacts found.
104- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems may be affected.
105- Implement enhanced monitoring on the affected system and similar environments to detect any future unauthorized modifications to authentication modules or configurations.
106- Review and update access controls and authentication policies to strengthen security measures and reduce the risk of similar attacks in the future."""
107
108
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111[[rule.threat.technique]]
112id = "T1543"
113name = "Create or Modify System Process"
114reference = "https://attack.mitre.org/techniques/T1543/"
115
116
117[rule.threat.tactic]
118id = "TA0003"
119name = "Persistence"
120reference = "https://attack.mitre.org/tactics/TA0003/"
121[[rule.threat]]
122framework = "MITRE ATT&CK"
123[[rule.threat.technique]]
124id = "T1556"
125name = "Modify Authentication Process"
126reference = "https://attack.mitre.org/techniques/T1556/"
127
128
129[rule.threat.tactic]
130id = "TA0006"
131name = "Credential Access"
132reference = "https://attack.mitre.org/tactics/TA0006/"
133
134[rule.new_terms]
135field = "new_terms_fields"
136value = ["host.id", "process.executable", "file.path"]
137[[rule.new_terms.history_window_start]]
138field = "history_window_start"
139value = "now-7d"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Modification of Standard Authentication Module or Configuration
Authentication modules, such as PAM (Pluggable Authentication Modules), are crucial for managing user authentication in Linux and macOS environments. Adversaries may exploit these by altering module files or configurations to gain unauthorized access or escalate privileges. The detection rule identifies suspicious changes to these modules, excluding legitimate processes and paths, to flag potential unauthorized modifications.
Possible investigation steps
- Review the specific file that triggered the alert by examining the file.name and file.path fields to determine if it is a known authentication module or configuration file.
- Investigate the process that made the change by analyzing the process.executable field to identify if it is a legitimate process or potentially malicious.
- Check the process.name field to see if the process is one of the excluded legitimate processes, which might indicate a false positive.
- Look into recent system changes or updates that might have affected authentication modules, focusing on the time frame around the alert.
- Correlate the alert with other security events or logs to identify any related suspicious activities or patterns, such as unauthorized access attempts or privilege escalation.
- Verify the integrity of the affected authentication module or configuration file by comparing it with a known good version or using file integrity monitoring tools.
False positive analysis
- Package management operations such as updates or installations can trigger false positives. Exclude processes like yum, dnf, rpm, and dpkg from the detection rule to prevent these benign activities from being flagged.
- System maintenance tasks often involve legitimate changes to authentication modules. Exclude processes like authconfig, pam-auth-update, and pam-config to avoid false alerts during routine maintenance.
- Development and testing environments may frequently modify authentication modules for testing purposes. Consider excluding paths like /tmp/snap.rootfs_/pam_.so and /tmp/newroot/lib//pam_.so to reduce noise from these environments.
- Backup and synchronization tools such as rsync can cause false positives when they interact with authentication module files. Exclude rsync from the detection rule to prevent these non-threatening activities from being flagged.
- Containerized environments may have different paths and processes that interact with authentication modules. Exclude processes like containerd and paths like /tmp/newroot/usr/lib64/security/pam_*.so to account for these variations.
Response and remediation
- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
- Conduct a thorough review of the modified authentication module or configuration file to identify unauthorized changes and revert them to their original state using a known good backup.
- Reset passwords for all user accounts on the affected system, prioritizing accounts with elevated privileges, to mitigate potential credential compromise.
- Perform a comprehensive scan of the system for additional indicators of compromise, such as unauthorized user accounts or scheduled tasks, and remove any malicious artifacts found.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems may be affected.
- Implement enhanced monitoring on the affected system and similar environments to detect any future unauthorized modifications to authentication modules or configurations.
- Review and update access controls and authentication policies to strengthen security measures and reduce the risk of similar attacks in the future.
References
Related rules
- Bash Shell Profile Modification
- Creation or Modification of Pluggable Authentication Module or Configuration
- Modification of OpenSSH Binaries
- Pluggable Authentication Module (PAM) Creation in Unusual Directory
- Pluggable Authentication Module (PAM) Source Download