Modification of Standard Authentication Module or Configuration
Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/12/21"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
6min_stack_version = "8.6.0"
7updated_date = "2023/09/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Adversaries may modify the standard authentication module for persistence via patching the normal authorization process
13or modifying the login configuration to allow unauthorized access or elevate privileges.
14"""
15false_positives = [
16 "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.",
17]
18from = "now-9m"
19index = ["auditbeat-*", "logs-endpoint.events.*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "Modification of Standard Authentication Module or Configuration"
23references = [
24 "https://github.com/zephrax/linux-pam-backdoor",
25 "https://github.com/eurialo/pambd",
26 "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html",
27 "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html",
28]
29risk_score = 47
30rule_id = "93f47b6f-5728-4004-ba00-625083b3dcb0"
31severity = "medium"
32tags = ["Domain: Endpoint",
33 "OS: macOS",
34 "OS: Linux",
35 "Use Case: Threat Detection",
36 "Tactic: Credential Access",
37 "Tactic: Persistence",
38 "Data Source: Elastic Defend"
39 ]
40timestamp_override = "event.ingested"
41type = "new_terms"
42
43query = '''
44event.category:file and event.type:change and
45 (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/* or /usr/lib64/security/*)) and
46 process.executable:
47 (* and
48 not
49 (
50 /usr/libexec/packagekitd or
51 /usr/bin/vim or
52 /usr/libexec/xpcproxy or
53 /usr/bin/bsdtar or
54 /usr/local/bin/brew or
55 "/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service"
56 )
57 ) and
58 not file.path:
59 (
60 /tmp/snap.rootfs_*/pam_*.so or
61 /tmp/newroot/lib/*/pam_*.so or
62 /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or
63 /tmp/newroot/usr/lib64/security/pam_*.so
64 ) and
65 not process.name:
66 (
67 yum or dnf or rsync or platform-python or authconfig or rpm or pdkg or apk or dnf-automatic or btrfs or
68 dpkg or pam-auth-update or steam or platform-python3.6 or pam-config or microdnf or yum_install or yum-cron or
69 systemd or containerd or pacman
70 )
71'''
72
73[[rule.threat]]
74framework = "MITRE ATT&CK"
75
76[[rule.threat.technique]]
77id = "T1543"
78name = "Create or Modify System Process"
79reference = "https://attack.mitre.org/techniques/T1543/"
80
81[rule.threat.tactic]
82id = "TA0003"
83name = "Persistence"
84reference = "https://attack.mitre.org/tactics/TA0003/"
85
86[[rule.threat]]
87framework = "MITRE ATT&CK"
88
89[[rule.threat.technique]]
90id = "T1556"
91name = "Modify Authentication Process"
92reference = "https://attack.mitre.org/techniques/T1556/"
93
94[rule.threat.tactic]
95id = "TA0006"
96name = "Credential Access"
97reference = "https://attack.mitre.org/tactics/TA0006/"
98
99[rule.new_terms]
100field = "new_terms_fields"
101value = ["host.id", "process.executable", "file.path"]
102
103[[rule.new_terms.history_window_start]]
104field = "history_window_start"
105value = "now-7d"
References
Related rules
- Bash Shell Profile Modification
- Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable
- Potential Non-Standard Port SSH connection
- EggShell Backdoor Execution
- Potential JAVA/JNDI Exploitation Attempt