Pluggable Authentication Module (PAM) Creation in Unusual Directory
This rule detects the creation of Pluggable Authentication Module (PAM) shared object files in unusual directories. Attackers may compile PAM shared object files in temporary directories, to move them to system directories later, potentially allowing them to maintain persistence on a compromised system, or harvest account credentials.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/12/16"
3integration = ["endpoint", "sentinel_one_cloud_funnel"]
4maturity = "production"
5min_stack_version = "8.13.0"
6min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
7updated_date = "2025/01/15"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects the creation of Pluggable Authentication Module (PAM) shared object files in unusual directories.
13Attackers may compile PAM shared object files in temporary directories, to move them to system directories later,
14potentially allowing them to maintain persistence on a compromised system, or harvest account credentials.
15"""
16false_positives = [
17 "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.",
18]
19from = "now-9m"
20index = ["logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
21language = "eql"
22license = "Elastic License v2"
23name = "Pluggable Authentication Module (PAM) Creation in Unusual Directory"
24references = [
25 "https://github.com/zephrax/linux-pam-backdoor",
26 "https://github.com/eurialo/pambd",
27 "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html",
28 "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html",
29]
30risk_score = 21
31rule_id = "5c832156-5785-4c9c-a2e7-0d80d2ba3daa"
32severity = "low"
33tags = [
34 "Domain: Endpoint",
35 "OS: Linux",
36 "Use Case: Threat Detection",
37 "Tactic: Credential Access",
38 "Tactic: Persistence",
39 "Data Source: Elastic Defend",
40 "Data Source: SentinelOne",
41 "Data Source: Elastic Endgame",
42 "Resources: Investigation Guide",
43]
44timestamp_override = "event.ingested"
45type = "eql"
46query = '''
47file where host.os.type == "linux" and event.type == "creation" and file.name like "pam_*.so" and not file.path like (
48 "/lib/security/*",
49 "/lib64/security/*",
50 "/lib/x86_64-linux-gnu/security/*",
51 "/usr/lib/security/*",
52 "/usr/lib64/security/*",
53 "/usr/lib/x86_64-linux-gnu/security/*"
54) and not (
55 process.name in ("dockerd", "containerd", "steam", "buildkitd", "unsquashfs", "pacman") or
56 file.path like (
57 "/build/rootImage/nix/store/*", "/home/*/.local/share/containers/*", "/nix/store/*", "/var/lib/containerd/*",
58 "/var/snap/*", "/usr/share/nix/nix/store/*", "/tmp/cura/squashfs-root/*", "/home/*/docker/*", "/tmp/containerd*"
59 )
60)
61'''
62note = """## Triage and analysis
63
64> **Disclaimer**:
65> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
66
67### Investigating Pluggable Authentication Module (PAM) Creation in Unusual Directory
68
69Pluggable Authentication Modules (PAM) are integral to Linux systems, managing authentication tasks. Adversaries may exploit PAM by creating malicious modules in non-standard directories, aiming to gain persistence or capture credentials. The detection rule identifies such anomalies by monitoring the creation of PAM files outside typical system paths, excluding benign processes and known directories, thus highlighting potential threats.
70
71### Possible investigation steps
72
73- Review the file creation event details, focusing on the file path and name to determine the exact location and nature of the PAM shared object file created.
74- Investigate the process that created the file by examining the process name and its parent process to understand the context and legitimacy of the file creation.
75- Check the user account associated with the process that created the file to assess if it has the necessary permissions and if the activity aligns with typical user behavior.
76- Analyze recent system logs and command history for any suspicious activities or commands that might indicate an attempt to compile or move PAM modules.
77- Correlate the event with other security alerts or anomalies on the system to identify potential patterns or coordinated actions that could indicate a broader compromise.
78- If possible, retrieve and analyze the contents of the PAM shared object file to identify any malicious code or indicators of compromise.
79
80### False positive analysis
81
82- Development and testing environments may compile PAM modules in temporary directories. To manage this, exclude paths commonly used for development, such as "/tmp/dev/*" or "/var/tmp/test/*".
83- Containerized applications might create PAM modules in non-standard directories. Exclude processes like "dockerd" and "containerd" to prevent false positives from container operations.
84- Package managers or system update tools may temporarily store PAM modules in unusual directories during updates. Exclude paths like "/var/cache/pacman/pkg/*" or "/var/lib/dpkg/tmp.ci/*" to avoid alerts during legitimate system updates.
85- Custom scripts or automation tools might generate PAM modules in user-specific directories. Identify and exclude these specific scripts or paths if they are known to be safe and necessary for operations.
86- Temporary backup or recovery operations might involve copying PAM modules to non-standard locations. Exclude paths used for backups, such as "/backup/*" or "/recovery/*", if these operations are verified as secure.
87
88### Response and remediation
89
90- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
91- Conduct a thorough review of the unusual directory where the PAM file was created to identify any other suspicious files or activities, and remove any malicious files found.
92- Analyze the process that created the PAM file to determine if it was initiated by a legitimate user or process, and terminate any malicious processes.
93- Reset credentials for any accounts that may have been compromised, focusing on those with elevated privileges or access to sensitive systems.
94- Restore the affected system from a known good backup to ensure that no malicious modifications persist.
95- Implement additional monitoring on the affected system and similar systems to detect any further attempts to create PAM files in unusual directories.
96- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network."""
97
98[[rule.threat]]
99framework = "MITRE ATT&CK"
100
101[[rule.threat.technique]]
102id = "T1543"
103name = "Create or Modify System Process"
104reference = "https://attack.mitre.org/techniques/T1543/"
105
106[rule.threat.tactic]
107id = "TA0003"
108name = "Persistence"
109reference = "https://attack.mitre.org/tactics/TA0003/"
110
111[[rule.threat]]
112framework = "MITRE ATT&CK"
113
114[[rule.threat.technique]]
115id = "T1556"
116name = "Modify Authentication Process"
117reference = "https://attack.mitre.org/techniques/T1556/"
118
119[rule.threat.tactic]
120id = "TA0006"
121name = "Credential Access"
122reference = "https://attack.mitre.org/tactics/TA0006/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Pluggable Authentication Module (PAM) Creation in Unusual Directory
Pluggable Authentication Modules (PAM) are integral to Linux systems, managing authentication tasks. Adversaries may exploit PAM by creating malicious modules in non-standard directories, aiming to gain persistence or capture credentials. The detection rule identifies such anomalies by monitoring the creation of PAM files outside typical system paths, excluding benign processes and known directories, thus highlighting potential threats.
Possible investigation steps
- Review the file creation event details, focusing on the file path and name to determine the exact location and nature of the PAM shared object file created.
- Investigate the process that created the file by examining the process name and its parent process to understand the context and legitimacy of the file creation.
- Check the user account associated with the process that created the file to assess if it has the necessary permissions and if the activity aligns with typical user behavior.
- Analyze recent system logs and command history for any suspicious activities or commands that might indicate an attempt to compile or move PAM modules.
- Correlate the event with other security alerts or anomalies on the system to identify potential patterns or coordinated actions that could indicate a broader compromise.
- If possible, retrieve and analyze the contents of the PAM shared object file to identify any malicious code or indicators of compromise.
False positive analysis
- Development and testing environments may compile PAM modules in temporary directories. To manage this, exclude paths commonly used for development, such as "/tmp/dev/" or "/var/tmp/test/".
- Containerized applications might create PAM modules in non-standard directories. Exclude processes like "dockerd" and "containerd" to prevent false positives from container operations.
- Package managers or system update tools may temporarily store PAM modules in unusual directories during updates. Exclude paths like "/var/cache/pacman/pkg/" or "/var/lib/dpkg/tmp.ci/" to avoid alerts during legitimate system updates.
- Custom scripts or automation tools might generate PAM modules in user-specific directories. Identify and exclude these specific scripts or paths if they are known to be safe and necessary for operations.
- Temporary backup or recovery operations might involve copying PAM modules to non-standard locations. Exclude paths used for backups, such as "/backup/" or "/recovery/", if these operations are verified as secure.
Response and remediation
- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
- Conduct a thorough review of the unusual directory where the PAM file was created to identify any other suspicious files or activities, and remove any malicious files found.
- Analyze the process that created the PAM file to determine if it was initiated by a legitimate user or process, and terminate any malicious processes.
- Reset credentials for any accounts that may have been compromised, focusing on those with elevated privileges or access to sensitive systems.
- Restore the affected system from a known good backup to ensure that no malicious modifications persist.
- Implement additional monitoring on the affected system and similar systems to detect any further attempts to create PAM files in unusual directories.
- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.
References
Related rules
- Pluggable Authentication Module (PAM) Version Discovery
- Potential OpenSSH Backdoor Logging Activity
- Chkconfig Service Add
- DNF Package Manager Plugin File Creation
- Directory Creation in /bin directory