Potential Backdoor Execution Through PAM_EXEC
This rule detects SSH session ID change followed by a suspicious SSHD child process, this may indicate the successful execution of a potentially malicious process through the Pluggable Authentication Module (PAM) utility. PAM is a framework used by Linux systems to authenticate users. Adversaries may create malicious PAM modules that grant them persistence onto the target every time a user logs in by executing a backdoor script or command.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2025/04/29"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/04/29"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects SSH session ID change followed by a suspicious SSHD child process, this may
11indicate the successful execution of a potentially malicious process through the Pluggable
12Authentication Module (PAM) utility. PAM is a framework used by Linux systems to authenticate
13users. Adversaries may create malicious PAM modules that grant them persistence onto the
14target every time a user logs in by executing a backdoor script or command.
15"""
16false_positives = [
17 "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.",
18]
19from = "now-9m"
20index = ["logs-endpoint.events.process*"]
21language = "eql"
22license = "Elastic License v2"
23name = "Potential Backdoor Execution Through PAM_EXEC"
24references = [
25 "https://www.elastic.co/security-labs/approaching-the-summit-on-persistence",
26 "https://www.group-ib.com/blog/pluggable-authentication-module/",
27]
28risk_score = 47
29rule_id = "96f29282-ffcc-4ce7-834b-b17aee905568"
30severity = "medium"
31tags = [
32 "Domain: Endpoint",
33 "OS: Linux",
34 "Use Case: Threat Detection",
35 "Tactic: Credential Access",
36 "Tactic: Persistence",
37 "Data Source: Elastic Defend",
38]
39type = "eql"
40query = '''
41sequence by process.entity_id with maxspan=3s
42 [process where host.os.type == "linux" and event.type == "change" and event.action == "session_id_change" and process.name in ("ssh", "sshd")]
43 [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name in ("ssh", "sshd") and
44 process.args_count == 2 and (
45 process.name like ("perl*", "python*", "php*", "ruby*", "lua*") or
46 process.executable like (
47 "/tmp/*", "/var/tmp/*", "/dev/shm/*", "./*", "/boot/*", "/sys/*", "/lost+found/*", "/media/*", "/proc/*",
48 "/var/backups/*", "/var/log/*", "/var/mail/*", "/var/spool/*") or
49 process.name like ".*"
50 )]
51'''
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55
56[[rule.threat.technique]]
57id = "T1543"
58name = "Create or Modify System Process"
59reference = "https://attack.mitre.org/techniques/T1543/"
60
61[rule.threat.tactic]
62id = "TA0003"
63name = "Persistence"
64reference = "https://attack.mitre.org/tactics/TA0003/"
65
66[[rule.threat]]
67framework = "MITRE ATT&CK"
68
69[[rule.threat.technique]]
70id = "T1556"
71name = "Modify Authentication Process"
72reference = "https://attack.mitre.org/techniques/T1556/"
73
74[rule.threat.tactic]
75id = "TA0006"
76name = "Credential Access"
77reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
Building on foundational concepts and techniques explored in the previous publications, this post discusses some creative and/or complex persistence mechanisms.
Read More
Related rules
- Pluggable Authentication Module (PAM) Creation in Unusual Directory
- Pluggable Authentication Module (PAM) Version Discovery
- Polkit Policy Creation
- Potential OpenSSH Backdoor Logging Activity
- Potential Execution via XZBackdoor