Modification of Standard Authentication Module or Configuration

  1[metadata]
  2creation_date = "2020/12/21"
  3integration = ["endpoint"]
  4maturity = "production"
  5min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
  6min_stack_version = "8.6.0"
  7updated_date = "2023/09/22"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Adversaries may modify the standard authentication module for persistence via patching the normal authorization process
 13or modifying the login configuration to allow unauthorized access or elevate privileges.
 14"""
 15false_positives = [
 16    "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.",
 17]
 18from = "now-9m"
 19index = ["auditbeat-*", "logs-endpoint.events.*"]
 20language = "kuery"
 21license = "Elastic License v2"
 22name = "Modification of Standard Authentication Module or Configuration"
 23references = [
 24    "https://github.com/zephrax/linux-pam-backdoor",
 25    "https://github.com/eurialo/pambd",
 26    "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html",
 27    "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html",
 28]
 29risk_score = 47
 30rule_id = "93f47b6f-5728-4004-ba00-625083b3dcb0"
 31severity = "medium"
 32tags = ["Domain: Endpoint",
 33        "OS: macOS",
 34        "OS: Linux",
 35        "Use Case: Threat Detection",
 36        "Tactic: Credential Access",
 37        "Tactic: Persistence",
 38        "Data Source: Elastic Defend"
 39        ]
 40timestamp_override = "event.ingested"
 41type = "new_terms"
 42
 43query = '''
 44event.category:file and event.type:change and
 45  (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/* or /usr/lib64/security/*)) and
 46  process.executable:
 47    (* and
 48      not
 49      (
 50        /usr/libexec/packagekitd or
 51        /usr/bin/vim or
 52        /usr/libexec/xpcproxy or
 53        /usr/bin/bsdtar or
 54        /usr/local/bin/brew or
 55        "/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service"
 56      )
 57    ) and
 58  not file.path:
 59         (
 60           /tmp/snap.rootfs_*/pam_*.so or
 61           /tmp/newroot/lib/*/pam_*.so or
 62           /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or
 63           /tmp/newroot/usr/lib64/security/pam_*.so
 64         ) and
 65  not process.name:
 66         (
 67           yum or dnf or rsync or platform-python or authconfig or rpm or pdkg or apk or dnf-automatic or btrfs or
 68           dpkg or pam-auth-update or steam or platform-python3.6 or pam-config or microdnf or yum_install or yum-cron or
 69           systemd or containerd or pacman
 70         )
 71'''
 72
 73[[rule.threat]]
 74framework = "MITRE ATT&CK"
 75
 76[[rule.threat.technique]]
 77id = "T1543"
 78name = "Create or Modify System Process"
 79reference = "https://attack.mitre.org/techniques/T1543/"
 80
 81[rule.threat.tactic]
 82id = "TA0003"
 83name = "Persistence"
 84reference = "https://attack.mitre.org/tactics/TA0003/"
 85
 86[[rule.threat]]
 87framework = "MITRE ATT&CK"
 88
 89[[rule.threat.technique]]
 90id = "T1556"
 91name = "Modify Authentication Process"
 92reference = "https://attack.mitre.org/techniques/T1556/"
 93
 94[rule.threat.tactic]
 95id = "TA0006"
 96name = "Credential Access"
 97reference = "https://attack.mitre.org/tactics/TA0006/"
 98
 99[rule.new_terms]
100field = "new_terms_fields"
101value = ["host.id", "process.executable", "file.path"]
102
103[[rule.new_terms.history_window_start]]
104field = "history_window_start"
105value = "now-7d"