Potential Backdoor Execution Through PAM_EXEC

  1[metadata]
  2creation_date = "2025/04/29"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/07/07"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects SSH session ID change followed by a suspicious SSHD child process, this may
 11indicate the successful execution of a potentially malicious process through the Pluggable
 12Authentication Module (PAM) utility. PAM is a framework used by Linux systems to authenticate
 13users. Adversaries may create malicious PAM modules that grant them persistence onto the
 14target every time a user logs in by executing a backdoor script or command.
 15"""
 16false_positives = [
 17    "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.",
 18]
 19from = "now-9m"
 20index = ["logs-endpoint.events.process*"]
 21language = "eql"
 22license = "Elastic License v2"
 23name = "Potential Backdoor Execution Through PAM_EXEC"
 24note = """ ## Triage and analysis
 25
 26> **Disclaimer**:
 27> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 28
 29### Investigating Potential Backdoor Execution Through PAM_EXEC
 30
 31PAM (Pluggable Authentication Module) is a critical framework in Linux systems for user authentication. Adversaries may exploit PAM by inserting malicious modules that execute backdoor scripts during user logins, ensuring persistent access. The detection rule identifies this threat by monitoring SSH session changes followed by unusual child processes, often indicative of backdoor execution, especially when these processes originate from suspicious directories or use scripting languages.
 32
 33### Possible investigation steps
 34
 35- Review the process entity ID associated with the alert to identify the specific SSH session and its related activities.
 36- Examine the parent process details, specifically focusing on the SSH or SSHD process, to determine the source and legitimacy of the login attempt.
 37- Investigate the child process that was started, paying close attention to its name and executable path, especially if it matches patterns like scripting languages (e.g., perl, python) or suspicious directories (e.g., /tmp, /var/tmp).
 38- Check the process arguments count and content to understand the command or script being executed, which may provide insights into the potential backdoor's functionality.
 39- Correlate the event timestamp with user login records and system logs to identify any unusual login patterns or unauthorized access attempts.
 40- Assess the risk and impact by determining if the process has made any unauthorized changes to the system or if it has established any persistent mechanisms.
 41- If a backdoor is confirmed, initiate containment measures such as terminating the malicious process, removing the unauthorized PAM module, and conducting a full system audit to prevent further exploitation.
 42
 43### False positive analysis
 44
 45- Legitimate administrative scripts executed via SSH may trigger the rule if they use scripting languages like Perl, Python, or PHP. To handle this, identify and whitelist known administrative scripts and their execution paths.
 46- Automated backup or maintenance processes that run from directories like /var/backups or /var/log can be mistaken for malicious activity. Exclude these processes by specifying their exact paths and names in the exception list.
 47- Development or testing environments where scripts are frequently executed from temporary directories such as /tmp or /dev/shm may cause false positives. Implement exceptions for these environments by defining specific user accounts or process names that are known to be safe.
 48- Custom monitoring or logging tools that spawn child processes from SSH sessions might be flagged. Review these tools and add them to the exclusion list if they are verified as non-threatening.
 49- Regular user activities involving the use of scripting languages for legitimate purposes can be misinterpreted. Educate users on best practices and adjust the rule to exclude common benign scripts used in daily operations.
 50
 51### Response and remediation
 52
 53- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
 54- Terminate any suspicious processes identified by the detection rule, especially those originating from unusual directories or using scripting languages.
 55- Conduct a thorough review of PAM configuration files and modules to identify and remove any unauthorized or malicious entries.
 56- Reset credentials for all users on the affected system, prioritizing those with elevated privileges, to mitigate potential credential compromise.
 57- Restore the system from a known good backup if malicious modifications are confirmed, ensuring that the backup is free from tampering.
 58- Implement enhanced monitoring on the affected system and similar environments to detect any recurrence of the threat, focusing on SSH session changes and unusual child processes.
 59- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.
 60"""
 61references = [
 62    "https://www.elastic.co/security-labs/approaching-the-summit-on-persistence",
 63    "https://www.group-ib.com/blog/pluggable-authentication-module/",
 64]
 65risk_score = 47
 66rule_id = "96f29282-ffcc-4ce7-834b-b17aee905568"
 67severity = "medium"
 68tags = [
 69    "Domain: Endpoint",
 70    "OS: Linux",
 71    "Use Case: Threat Detection",
 72    "Tactic: Credential Access",
 73    "Tactic: Persistence",
 74    "Data Source: Elastic Defend",
 75    "Resources: Investigation Guide",
 76]
 77type = "eql"
 78query = '''
 79sequence by process.entity_id with maxspan=3s
 80  [process where host.os.type == "linux" and event.type == "change" and event.action == "session_id_change" and process.name in ("ssh", "sshd")]
 81  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name in ("ssh", "sshd") and
 82   process.args_count == 2 and (
 83     process.name like ("perl*", "python*", "php*", "ruby*", "lua*") or
 84     process.executable like (
 85       "/tmp/*", "/var/tmp/*", "/dev/shm/*", "./*", "/boot/*", "/sys/*", "/lost+found/*", "/media/*", "/proc/*",
 86       "/var/backups/*", "/var/log/*", "/var/mail/*", "/var/spool/*") or
 87     process.name like ".*"
 88   )]
 89'''
 90
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93
 94[[rule.threat.technique]]
 95id = "T1543"
 96name = "Create or Modify System Process"
 97reference = "https://attack.mitre.org/techniques/T1543/"
 98
 99[rule.threat.tactic]
100id = "TA0003"
101name = "Persistence"
102reference = "https://attack.mitre.org/tactics/TA0003/"
103
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106
107[[rule.threat.technique]]
108id = "T1556"
109name = "Modify Authentication Process"
110reference = "https://attack.mitre.org/techniques/T1556/"
111
112[rule.threat.tactic]
113id = "TA0006"
114name = "Credential Access"
115reference = "https://attack.mitre.org/tactics/TA0006/"