Creation or Modification of Pluggable Authentication Module or Configuration

This rule monitors for the creation or modification of Pluggable Authentication Module (PAM) shared object files or configuration files. Attackers may create or modify these files to maintain persistence on a compromised system, or harvest account credentials.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/03/06"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule monitors for the creation or modification of Pluggable Authentication Module (PAM) shared object files or
 11configuration files. Attackers may create or modify these files to maintain persistence on a compromised system, or
 12harvest account credentials.
 13"""
 14false_positives = [
 15    "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.",
 16]
 17from = "now-9m"
 18index = ["logs-endpoint.events.file*"]
 19language = "eql"
 20license = "Elastic License v2"
 21name = "Creation or Modification of Pluggable Authentication Module or Configuration"
 22references = [
 23    "https://github.com/zephrax/linux-pam-backdoor",
 24    "https://github.com/eurialo/pambd",
 25    "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html",
 26    "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html",
 27]
 28risk_score = 47
 29rule_id = "f48ecc44-7d02-437d-9562-b838d2c41987"
 30severity = "medium"
 31tags = [
 32    "Domain: Endpoint",
 33    "OS: Linux",
 34    "Use Case: Threat Detection",
 35    "Tactic: Credential Access",
 36    "Tactic: Persistence",
 37    "Data Source: Elastic Defend",
 38    "Resources: Investigation Guide",
 39]
 40timestamp_override = "event.ingested"
 41type = "eql"
 42query = '''
 43file where host.os.type == "linux" and event.action in ("rename", "creation") and
 44process.executable != null and (
 45  (file.path like~ (
 46    "/lib/security/*", "/lib64/security/*", "/usr/lib/security/*", "/usr/lib64/security/*",
 47    "/lib/x86_64-linux-gnu/security/*", "/usr/lib/x86_64-linux-gnu/security/*"
 48  ) and file.extension == "so") or
 49  (file.path like~ "/etc/pam.d/*" and file.extension == null) or
 50  (file.path like~ "/etc/security/pam_*" or file.path == "/etc/pam.conf")
 51) and not (
 52  process.executable in (
 53    "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf",
 54    "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum",
 55    "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic",
 56    "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk",
 57    "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet",
 58    "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client",
 59    "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*",  "/usr/bin/pamac-daemon",
 60    "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/sbin/pam-auth-update",
 61    "/usr/lib/systemd/systemd", "/usr/libexec/packagekitd", "/usr/bin/bsdtar", "/sbin/pam-auth-update"
 62  ) or
 63  file.path like (
 64    "/tmp/snap.rootfs_*/pam_*.so", "/tmp/newroot/lib/*/pam_*.so", "/tmp/newroot/usr/lib64/security/pam_*.so"
 65  ) or
 66  file.extension in ("swp", "swpx", "swx", "dpkg-remove") or
 67  file.Ext.original.extension == "dpkg-new" or
 68  process.executable like (
 69    "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*"
 70  ) or
 71  (process.name == "sed" and file.name like~ "sed*") or
 72  (process.name == "perl" and file.name like~ "e2scrub_all.tmp*")
 73)
 74'''
 75note = """## Triage and analysis
 76
 77> **Disclaimer**:
 78> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 79
 80### Investigating Creation or Modification of Pluggable Authentication Module or Configuration
 81
 82Pluggable Authentication Modules (PAM) are integral to Linux systems, managing authentication tasks. Adversaries may exploit PAM by creating or altering its modules or configurations to gain persistence or capture credentials. The detection rule identifies suspicious activities by monitoring file operations in PAM directories, excluding legitimate processes, thus highlighting potential unauthorized modifications.
 83
 84### Possible investigation steps
 85
 86- Review the file path and extension to determine if the modified or created file is a PAM shared object or configuration file, focusing on paths like "/lib/security/*", "/etc/pam.d/*", and "/etc/security/pam_*".
 87- Identify the process executable responsible for the file operation and verify if it is listed as an excluded legitimate process, such as "/bin/dpkg" or "/usr/bin/yum". If not, investigate the process further.
 88- Check the process execution history and command line arguments to understand the context of the file operation and assess if it aligns with typical system administration tasks.
 89- Investigate the user account associated with the process to determine if it has legitimate access and permissions to modify PAM files, and check for any signs of compromise or misuse.
 90- Examine recent system logs and security alerts for any related suspicious activities or anomalies that might indicate a broader attack or compromise.
 91- If the file operation is deemed suspicious, consider restoring the original PAM configuration from a known good backup and monitor the system for any further unauthorized changes.
 92
 93### False positive analysis
 94
 95- Package management operations: Legitimate package managers like dpkg, rpm, and yum may trigger the rule during software updates or installations. To handle this, exclude these processes by adding them to the exception list in the rule configuration.
 96- System updates and maintenance: Processes such as pam-auth-update and systemd may modify PAM configurations during routine system updates. Exclude these processes to prevent false positives.
 97- Temporary files: Files with extensions like swp, swpx, and swx are often temporary and not indicative of malicious activity. Exclude these extensions to reduce noise.
 98- Development environments: Paths like /nix/store/* and /snap/* may be used in development or containerized environments. Consider excluding these paths if they are part of a known and secure setup.
 99- Automated scripts: Scripts using tools like sed or perl may create temporary files that match the rule's criteria. Exclude these specific patterns if they are part of regular, non-malicious operations.
100
101### Response and remediation
102
103- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
104- Review the specific PAM module or configuration file that was created or modified to understand the changes made and assess the potential impact on system security.
105- Restore the affected PAM files from a known good backup to ensure the integrity of the authentication process and remove any malicious modifications.
106- Conduct a thorough scan of the system using updated antivirus and anti-malware tools to identify and remove any additional malicious software that may have been introduced.
107- Monitor the system and network for any signs of continued unauthorized access or suspicious activity, focusing on the indicators of compromise related to PAM manipulation.
108- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems may be affected.
109- Implement additional monitoring and alerting for PAM-related activities to enhance detection capabilities and prevent similar threats in the future."""
110
111[[rule.threat]]
112framework = "MITRE ATT&CK"
113
114[[rule.threat.technique]]
115id = "T1543"
116name = "Create or Modify System Process"
117reference = "https://attack.mitre.org/techniques/T1543/"
118
119[rule.threat.tactic]
120id = "TA0003"
121name = "Persistence"
122reference = "https://attack.mitre.org/tactics/TA0003/"
123
124[[rule.threat]]
125framework = "MITRE ATT&CK"
126
127[[rule.threat.technique]]
128id = "T1556"
129name = "Modify Authentication Process"
130reference = "https://attack.mitre.org/techniques/T1556/"
131
132[rule.threat.tactic]
133id = "TA0006"
134name = "Credential Access"
135reference = "https://attack.mitre.org/tactics/TA0006/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Creation or Modification of Pluggable Authentication Module or Configuration

Pluggable Authentication Modules (PAM) are integral to Linux systems, managing authentication tasks. Adversaries may exploit PAM by creating or altering its modules or configurations to gain persistence or capture credentials. The detection rule identifies suspicious activities by monitoring file operations in PAM directories, excluding legitimate processes, thus highlighting potential unauthorized modifications.

Possible investigation steps

  • Review the file path and extension to determine if the modified or created file is a PAM shared object or configuration file, focusing on paths like "/lib/security/", "/etc/pam.d/", and "/etc/security/pam_*".
  • Identify the process executable responsible for the file operation and verify if it is listed as an excluded legitimate process, such as "/bin/dpkg" or "/usr/bin/yum". If not, investigate the process further.
  • Check the process execution history and command line arguments to understand the context of the file operation and assess if it aligns with typical system administration tasks.
  • Investigate the user account associated with the process to determine if it has legitimate access and permissions to modify PAM files, and check for any signs of compromise or misuse.
  • Examine recent system logs and security alerts for any related suspicious activities or anomalies that might indicate a broader attack or compromise.
  • If the file operation is deemed suspicious, consider restoring the original PAM configuration from a known good backup and monitor the system for any further unauthorized changes.

False positive analysis

  • Package management operations: Legitimate package managers like dpkg, rpm, and yum may trigger the rule during software updates or installations. To handle this, exclude these processes by adding them to the exception list in the rule configuration.
  • System updates and maintenance: Processes such as pam-auth-update and systemd may modify PAM configurations during routine system updates. Exclude these processes to prevent false positives.
  • Temporary files: Files with extensions like swp, swpx, and swx are often temporary and not indicative of malicious activity. Exclude these extensions to reduce noise.
  • Development environments: Paths like /nix/store/* and /snap/* may be used in development or containerized environments. Consider excluding these paths if they are part of a known and secure setup.
  • Automated scripts: Scripts using tools like sed or perl may create temporary files that match the rule's criteria. Exclude these specific patterns if they are part of regular, non-malicious operations.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
  • Review the specific PAM module or configuration file that was created or modified to understand the changes made and assess the potential impact on system security.
  • Restore the affected PAM files from a known good backup to ensure the integrity of the authentication process and remove any malicious modifications.
  • Conduct a thorough scan of the system using updated antivirus and anti-malware tools to identify and remove any additional malicious software that may have been introduced.
  • Monitor the system and network for any signs of continued unauthorized access or suspicious activity, focusing on the indicators of compromise related to PAM manipulation.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems may be affected.
  • Implement additional monitoring and alerting for PAM-related activities to enhance detection capabilities and prevent similar threats in the future.

References

Related rules

to-top