Creation or Modification of Pluggable Authentication Module or Configuration
This rule monitors for the creation or modification of Pluggable Authentication Module (PAM) shared object files or configuration files. Attackers may create or modify these files to maintain persistence on a compromised system, or harvest account credentials.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/06"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/07/18"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule monitors for the creation or modification of Pluggable Authentication Module (PAM) shared object files or
11configuration files. Attackers may create or modify these files to maintain persistence on a compromised system, or
12harvest account credentials.
13"""
14false_positives = [
15 "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.",
16]
17from = "now-9m"
18index = ["logs-endpoint.events.file*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Creation or Modification of Pluggable Authentication Module or Configuration"
22references = [
23 "https://github.com/zephrax/linux-pam-backdoor",
24 "https://github.com/eurialo/pambd",
25 "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html",
26 "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html",
27]
28risk_score = 47
29rule_id = "f48ecc44-7d02-437d-9562-b838d2c41987"
30severity = "medium"
31tags = [
32 "Domain: Endpoint",
33 "OS: Linux",
34 "Use Case: Threat Detection",
35 "Tactic: Credential Access",
36 "Tactic: Persistence",
37 "Data Source: Elastic Defend",
38]
39timestamp_override = "event.ingested"
40type = "eql"
41query = '''
42file where host.os.type == "linux" and event.action in ("rename", "creation") and
43process.executable != null and (
44 (file.path : ("/lib/security/*", "/lib64/security/*", "/usr/lib/security/*", "/usr/lib64/security/*",
45 "/usr/lib/x86_64-linux-gnu/security/*") and file.extension == "so") or
46 (file.path : "/etc/pam.d/*" and file.extension == null) or
47 (file.path : "/etc/security/pam_*" or file.path == "/etc/pam.conf")
48) and not (
49 process.executable in (
50 "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf",
51 "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum",
52 "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic",
53 "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk",
54 "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet",
55 "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client",
56 "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon",
57 "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/sbin/pam-auth-update",
58 "/usr/lib/systemd/systemd", "/usr/libexec/packagekitd", "/usr/bin/bsdtar", "/sbin/pam-auth-update"
59 ) or
60 file.path : (
61 "/tmp/snap.rootfs_*/pam_*.so", "/tmp/newroot/lib/*/pam_*.so", "/tmp/newroot/usr/lib64/security/pam_*.so"
62 ) or
63 file.extension in ("swp", "swpx", "swx", "dpkg-remove") or
64 file.Ext.original.extension == "dpkg-new" or
65 process.executable : (
66 "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*"
67 ) or
68 (process.name == "sed" and file.name : "sed*") or
69 (process.name == "perl" and file.name : "e2scrub_all.tmp*")
70)
71'''
72
73[[rule.threat]]
74framework = "MITRE ATT&CK"
75
76[[rule.threat.technique]]
77id = "T1543"
78name = "Create or Modify System Process"
79reference = "https://attack.mitre.org/techniques/T1543/"
80
81[rule.threat.tactic]
82id = "TA0003"
83name = "Persistence"
84reference = "https://attack.mitre.org/tactics/TA0003/"
85
86[[rule.threat]]
87framework = "MITRE ATT&CK"
88
89[[rule.threat.technique]]
90id = "T1556"
91name = "Modify Authentication Process"
92reference = "https://attack.mitre.org/techniques/T1556/"
93
94[rule.threat.tactic]
95id = "TA0006"
96name = "Credential Access"
97reference = "https://attack.mitre.org/tactics/TA0006/"
References
Related rules
- Potential OpenSSH Backdoor Logging Activity
- Modification of Standard Authentication Module or Configuration
- Suspicious File Creation via Kworker
- Process Capability Set via setcap Utility
- Process Spawned from Message-of-the-Day (MOTD)