Creation or Modification of Pluggable Authentication Module or Configuration
This rule monitors for the creation or modification of Pluggable Authentication Module (PAM) shared object files or configuration files. Attackers may create or modify these files to maintain persistence on a compromised system, or harvest account credentials.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/06"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/07/18"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule monitors for the creation or modification of Pluggable Authentication Module (PAM) shared object files or
11configuration files. Attackers may create or modify these files to maintain persistence on a compromised system, or
12harvest account credentials.
13"""
14false_positives = [
15 "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.",
16]
17from = "now-9m"
18index = ["logs-endpoint.events.file*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Creation or Modification of Pluggable Authentication Module or Configuration"
22references = [
23 "https://github.com/zephrax/linux-pam-backdoor",
24 "https://github.com/eurialo/pambd",
25 "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html",
26 "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html",
27]
28risk_score = 47
29rule_id = "f48ecc44-7d02-437d-9562-b838d2c41987"
30severity = "medium"
31tags = [
32 "Domain: Endpoint",
33 "OS: Linux",
34 "Use Case: Threat Detection",
35 "Tactic: Credential Access",
36 "Tactic: Persistence",
37 "Data Source: Elastic Defend",
38]
39timestamp_override = "event.ingested"
40type = "eql"
41query = '''
42file where host.os.type == "linux" and event.action in ("rename", "creation") and
43process.executable != null and (
44 (file.path : ("/lib/security/*", "/lib64/security/*", "/usr/lib/security/*", "/usr/lib64/security/*",
45 "/usr/lib/x86_64-linux-gnu/security/*") and file.extension == "so") or
46 (file.path : "/etc/pam.d/*" and file.extension == null) or
47 (file.path : "/etc/security/pam_*" or file.path == "/etc/pam.conf")
48) and not (
49 process.executable in (
50 "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf",
51 "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum",
52 "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic",
53 "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk",
54 "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet",
55 "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client",
56 "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon",
57 "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/sbin/pam-auth-update",
58 "/usr/lib/systemd/systemd", "/usr/libexec/packagekitd", "/usr/bin/bsdtar", "/sbin/pam-auth-update"
59 ) or
60 file.path : (
61 "/tmp/snap.rootfs_*/pam_*.so", "/tmp/newroot/lib/*/pam_*.so", "/tmp/newroot/usr/lib64/security/pam_*.so"
62 ) or
63 file.extension in ("swp", "swpx", "swx", "dpkg-remove") or
64 file.Ext.original.extension == "dpkg-new" or
65 process.executable : (
66 "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*"
67 ) or
68 (process.name == "sed" and file.name : "sed*") or
69 (process.name == "perl" and file.name : "e2scrub_all.tmp*")
70)
71'''
72
73[[rule.threat]]
74framework = "MITRE ATT&CK"
75
76[[rule.threat.technique]]
77id = "T1543"
78name = "Create or Modify System Process"
79reference = "https://attack.mitre.org/techniques/T1543/"
80
81[rule.threat.tactic]
82id = "TA0003"
83name = "Persistence"
84reference = "https://attack.mitre.org/tactics/TA0003/"
85
86[[rule.threat]]
87framework = "MITRE ATT&CK"
88
89[[rule.threat.technique]]
90id = "T1556"
91name = "Modify Authentication Process"
92reference = "https://attack.mitre.org/techniques/T1556/"
93
94[rule.threat.tactic]
95id = "TA0006"
96name = "Credential Access"
97reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
Linux PAM Backdoor. Contribute to zephrax/linux-pam-backdoor development by creating an account on GitHub.
Read More -
The most small and fast solution to create a undetectable backdoor through the PAM module. - ociredefz/pambd
Read More -
Under Linux (and other Oses), authentification of users is made through Pluggable Authentication Module, aka PAM . Having centralized authen...
Read More -
Skidmap, a Linux malware that we recently stumbled upon, demonstrates the increasing complexity of cryptocurrency-mining threats. This malware is notable for how it loads malicious kernel modules to keep its cryptocurrency mining operations hidden.
Read More
Related rules
- Potential OpenSSH Backdoor Logging Activity
- Modification of OpenSSH Binaries
- Modification of Standard Authentication Module or Configuration
- Network Connection Initiated by SSHD Child Process
- Network Connections Initiated Through XDG Autostart Entry