Pluggable Authentication Module or Configuration Creation

  1[metadata]
  2creation_date = "2024/03/06"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/12/22"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule monitors for the creation of Pluggable Authentication Module (PAM) shared object files or configuration
 11files. Attackers may create these files to maintain persistence on a compromised system, or harvest account credentials.
 12"""
 13false_positives = [
 14    "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.",
 15]
 16from = "now-9m"
 17index = ["logs-endpoint.events.file*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Pluggable Authentication Module or Configuration Creation"
 21note = """## Triage and analysis
 22
 23> **Disclaimer**:
 24> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 25
 26### Investigating Pluggable Authentication Module or Configuration Creation
 27
 28Pluggable Authentication Modules (PAM) are integral to Linux systems, managing authentication tasks. Adversaries may exploit PAM by creating or altering its modules or configurations to gain persistence or capture credentials. The detection rule identifies suspicious activities by monitoring file operations in PAM directories, excluding legitimate processes, thus highlighting potential unauthorized modifications.
 29
 30### Possible investigation steps
 31
 32- Review the file path and extension to determine if the modified or created file is a PAM shared object or configuration file, focusing on paths like "/lib/security/*", "/etc/pam.d/*", and "/etc/security/pam_*".
 33- Identify the process executable responsible for the file operation and verify if it is listed as an excluded legitimate process, such as "/bin/dpkg" or "/usr/bin/yum". If not, investigate the process further.
 34- Check the process execution history and command line arguments to understand the context of the file operation and assess if it aligns with typical system administration tasks.
 35- Investigate the user account associated with the process to determine if it has legitimate access and permissions to modify PAM files, and check for any signs of compromise or misuse.
 36- Examine recent system logs and security alerts for any related suspicious activities or anomalies that might indicate a broader attack or compromise.
 37- If the file operation is deemed suspicious, consider restoring the original PAM configuration from a known good backup and monitor the system for any further unauthorized changes.
 38
 39### False positive analysis
 40
 41- Package management operations: Legitimate package managers like dpkg, rpm, and yum may trigger the rule during software updates or installations. To handle this, exclude these processes by adding them to the exception list in the rule configuration.
 42- System updates and maintenance: Processes such as pam-auth-update and systemd may modify PAM configurations during routine system updates. Exclude these processes to prevent false positives.
 43- Temporary files: Files with extensions like swp, swpx, and swx are often temporary and not indicative of malicious activity. Exclude these extensions to reduce noise.
 44- Development environments: Paths like /nix/store/* and /snap/* may be used in development or containerized environments. Consider excluding these paths if they are part of a known and secure setup.
 45- Automated scripts: Scripts using tools like sed or perl may create temporary files that match the rule's criteria. Exclude these specific patterns if they are part of regular, non-malicious operations.
 46
 47### Response and remediation
 48
 49- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
 50- Review the specific PAM module or configuration file that was created or modified to understand the changes made and assess the potential impact on system security.
 51- Restore the affected PAM files from a known good backup to ensure the integrity of the authentication process and remove any malicious modifications.
 52- Conduct a thorough scan of the system using updated antivirus and anti-malware tools to identify and remove any additional malicious software that may have been introduced.
 53- Monitor the system and network for any signs of continued unauthorized access or suspicious activity, focusing on the indicators of compromise related to PAM manipulation.
 54- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems may be affected.
 55- Implement additional monitoring and alerting for PAM-related activities to enhance detection capabilities and prevent similar threats in the future."""
 56references = [
 57    "https://github.com/zephrax/linux-pam-backdoor",
 58    "https://github.com/eurialo/pambd",
 59    "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html",
 60    "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html",
 61]
 62risk_score = 47
 63rule_id = "f48ecc44-7d02-437d-9562-b838d2c41987"
 64severity = "medium"
 65tags = [
 66    "Domain: Endpoint",
 67    "OS: Linux",
 68    "Use Case: Threat Detection",
 69    "Tactic: Credential Access",
 70    "Tactic: Persistence",
 71    "Data Source: Elastic Defend",
 72    "Resources: Investigation Guide",
 73]
 74timestamp_override = "event.ingested"
 75type = "eql"
 76query = '''
 77file where host.os.type == "linux" and event.action == "creation" and process.executable != null and (
 78  (file.path like (
 79    "/lib/security/*", "/lib64/security/*", "/usr/lib/security/*", "/usr/lib64/security/*",
 80    "/lib/x86_64-linux-gnu/security/*", "/usr/lib/x86_64-linux-gnu/security/*"
 81  ) and file.extension == "so") or
 82  (file.path like "/etc/pam.d/*" and file.extension == null) or
 83  (file.path like "/etc/security/pam_*" or file.path == "/etc/pam.conf")
 84) and not (
 85  process.executable in (
 86    "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf",
 87    "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum",
 88    "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic",
 89    "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk",
 90    "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet",
 91    "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client",
 92    "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/usr/bin/pamac-daemon",
 93    "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/sbin/pam-auth-update",
 94    "/usr/lib/systemd/systemd", "/usr/libexec/packagekitd", "/usr/bin/bsdtar", "/sbin/pam-auth-update", "./user/bin/podman",
 95    "/usr/bin/dnf5", "/opt/puppetlabs/puppet/bin/ruby", "/usr/bin/crio", "/sbin/authconfig", "/usr/sbin/yum-cron",
 96    "/sbin/yum-cron", "/usr/local/psa/bin/dnf_install", "/opt/jc/bin/jumpcloud-agent", "./usr/bin/podman",
 97    "/kaniko/executor", "/opt/kaniko/executor", "/usr/bin/buildah", "/usr/sbin/pam-config",
 98    "./usr/lib/snapd/snap-update-ns", "/usr/bin/install", "/usr/bin/env"
 99  ) or
100  file.path like (
101    "/tmp/snap.rootfs_*/pam_*.so", "/tmp/newroot/lib/*/pam_*.so", "/tmp/newroot/usr/lib64/security/pam_*.so"
102  ) or
103  file.extension in ("swp", "swpx", "swx", "dpkg-remove") or
104  file.Ext.original.extension == "dpkg-new" or
105  file.Ext.original.name like "*.pam-new" or
106  process.executable like (
107    "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*", "/usr/bin/python*",
108    "/opt/alt/python*/bin/python*", "/usr/libexec/platform-python*", "./snap/snapd/*/usr/lib/snapd/snap-update-ns"
109  ) or
110  (process.name == "sed" and file.name like~ "sed*") or
111  (process.name == "perl" and file.name like~ "e2scrub_all.tmp*") or
112  (process.name == "perl" and event.action == "rename" and file.Ext.original.name like "*.pam-new") or
113  process.name like ("python*", "platform-python*", "dockerd") or
114  (process.name == "vim.basic" and file.name like "*~")
115)
116'''
117
118[[rule.threat]]
119framework = "MITRE ATT&CK"
120
121[[rule.threat.technique]]
122id = "T1543"
123name = "Create or Modify System Process"
124reference = "https://attack.mitre.org/techniques/T1543/"
125
126[rule.threat.tactic]
127id = "TA0003"
128name = "Persistence"
129reference = "https://attack.mitre.org/tactics/TA0003/"
130
131[[rule.threat]]
132framework = "MITRE ATT&CK"
133
134[[rule.threat.technique]]
135id = "T1556"
136name = "Modify Authentication Process"
137reference = "https://attack.mitre.org/techniques/T1556/"
138
139[rule.threat.tactic]
140id = "TA0006"
141name = "Credential Access"
142reference = "https://attack.mitre.org/tactics/TA0006/"