Pluggable Authentication Module (PAM) Source Download

This rule detects the usage of curl or wget to download the source code of a Pluggable Authentication Module (PAM) shared object file. Attackers may download the source code of a PAM shared object file to create a backdoor in the authentication process.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/12/16"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects the usage of `curl` or `wget` to download the source code of a Pluggable Authentication Module (PAM)
 11shared object file. Attackers may download the source code of a PAM shared object file to create a backdoor in the
 12authentication process.
 13"""
 14false_positives = [
 15    "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.",
 16]
 17from = "now-9m"
 18index = ["logs-endpoint.events.process*", "endgame-*"]
 19language = "eql"
 20license = "Elastic License v2"
 21name = "Pluggable Authentication Module (PAM) Source Download"
 22references = [
 23    "https://github.com/zephrax/linux-pam-backdoor",
 24    "https://github.com/eurialo/pambd",
 25    "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html",
 26    "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html",
 27]
 28risk_score = 21
 29rule_id = "53ef31ea-1f8a-493b-9614-df23d8277232"
 30severity = "low"
 31tags = [
 32    "Domain: Endpoint",
 33    "OS: Linux",
 34    "Use Case: Threat Detection",
 35    "Tactic: Credential Access",
 36    "Tactic: Persistence",
 37    "Data Source: Elastic Defend",
 38    "Data Source: Elastic Endgame",
 39    "Resources: Investigation Guide",
 40]
 41timestamp_override = "event.ingested"
 42type = "eql"
 43query = '''
 44process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
 45process.name in ("curl", "wget") and
 46process.args like~ "https://github.com/linux-pam/linux-pam/releases/download/v*/Linux-PAM-*.tar.xz"
 47'''
 48note = """## Triage and analysis
 49
 50> **Disclaimer**:
 51> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 52
 53### Investigating Pluggable Authentication Module (PAM) Source Download
 54
 55Pluggable Authentication Modules (PAM) are integral to Linux systems, managing authentication tasks. Adversaries may exploit PAM by downloading its source code to insert backdoors, compromising authentication. The detection rule identifies suspicious downloads of PAM source files using tools like `curl` or `wget`, flagging potential threats to system integrity and user credentials.
 56
 57### Possible investigation steps
 58
 59- Review the process details to confirm the use of `curl` or `wget` for downloading the PAM source file, focusing on the `process.name` and `process.args` fields to verify the URL pattern matches the suspicious download.
 60- Check the user account associated with the process execution to determine if the activity was initiated by a legitimate user or a potential adversary.
 61- Investigate the system's command history and logs to identify any preceding or subsequent commands that might indicate further malicious activity or attempts to compile and install the downloaded PAM source.
 62- Examine network logs for any unusual outbound connections or data exfiltration attempts following the download, which could suggest further compromise.
 63- Assess the integrity of existing PAM modules on the system to ensure no unauthorized modifications or backdoors have been introduced.
 64- Correlate this event with other alerts or anomalies on the same host to identify patterns or a broader attack campaign.
 65
 66### False positive analysis
 67
 68- Legitimate system administrators or developers may download PAM source files for testing or development purposes. To handle this, create exceptions for known user accounts or IP addresses that regularly perform such downloads.
 69- Automated scripts or configuration management tools might use `curl` or `wget` to download PAM source files as part of routine updates or system setups. Identify these scripts and whitelist their activities to prevent false positives.
 70- Security researchers or auditors may download PAM source files to conduct security assessments. Establish a process to verify and approve these activities, allowing exceptions for recognized research teams or individuals.
 71- Educational institutions or training environments might download PAM source files for instructional purposes. Implement a policy to exclude these environments from triggering alerts, ensuring they are recognized as non-threatening.
 72
 73### Response and remediation
 74
 75- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
 76- Terminate any active `curl` or `wget` processes identified in the alert to stop the download of potentially malicious PAM source files.
 77- Conduct a thorough review of PAM configuration files and shared object files on the affected system to identify and remove any unauthorized modifications or backdoors.
 78- Restore the affected system from a known good backup if unauthorized changes to PAM files are detected and cannot be easily reversed.
 79- Implement stricter access controls and monitoring on systems handling PAM configurations to prevent unauthorized downloads or modifications in the future.
 80- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.
 81- Update detection mechanisms to monitor for similar download attempts and unauthorized modifications to critical authentication components."""
 82
 83[[rule.threat]]
 84framework = "MITRE ATT&CK"
 85
 86[[rule.threat.technique]]
 87id = "T1543"
 88name = "Create or Modify System Process"
 89reference = "https://attack.mitre.org/techniques/T1543/"
 90
 91[rule.threat.tactic]
 92id = "TA0003"
 93name = "Persistence"
 94reference = "https://attack.mitre.org/tactics/TA0003/"
 95
 96[[rule.threat]]
 97framework = "MITRE ATT&CK"
 98
 99[[rule.threat.technique]]
100id = "T1556"
101name = "Modify Authentication Process"
102reference = "https://attack.mitre.org/techniques/T1556/"
103
104[rule.threat.tactic]
105id = "TA0006"
106name = "Credential Access"
107reference = "https://attack.mitre.org/tactics/TA0006/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Pluggable Authentication Module (PAM) Source Download

Pluggable Authentication Modules (PAM) are integral to Linux systems, managing authentication tasks. Adversaries may exploit PAM by downloading its source code to insert backdoors, compromising authentication. The detection rule identifies suspicious downloads of PAM source files using tools like curl or wget, flagging potential threats to system integrity and user credentials.

Possible investigation steps

  • Review the process details to confirm the use of curl or wget for downloading the PAM source file, focusing on the process.name and process.args fields to verify the URL pattern matches the suspicious download.
  • Check the user account associated with the process execution to determine if the activity was initiated by a legitimate user or a potential adversary.
  • Investigate the system's command history and logs to identify any preceding or subsequent commands that might indicate further malicious activity or attempts to compile and install the downloaded PAM source.
  • Examine network logs for any unusual outbound connections or data exfiltration attempts following the download, which could suggest further compromise.
  • Assess the integrity of existing PAM modules on the system to ensure no unauthorized modifications or backdoors have been introduced.
  • Correlate this event with other alerts or anomalies on the same host to identify patterns or a broader attack campaign.

False positive analysis

  • Legitimate system administrators or developers may download PAM source files for testing or development purposes. To handle this, create exceptions for known user accounts or IP addresses that regularly perform such downloads.
  • Automated scripts or configuration management tools might use curl or wget to download PAM source files as part of routine updates or system setups. Identify these scripts and whitelist their activities to prevent false positives.
  • Security researchers or auditors may download PAM source files to conduct security assessments. Establish a process to verify and approve these activities, allowing exceptions for recognized research teams or individuals.
  • Educational institutions or training environments might download PAM source files for instructional purposes. Implement a policy to exclude these environments from triggering alerts, ensuring they are recognized as non-threatening.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
  • Terminate any active curl or wget processes identified in the alert to stop the download of potentially malicious PAM source files.
  • Conduct a thorough review of PAM configuration files and shared object files on the affected system to identify and remove any unauthorized modifications or backdoors.
  • Restore the affected system from a known good backup if unauthorized changes to PAM files are detected and cannot be easily reversed.
  • Implement stricter access controls and monitoring on systems handling PAM configurations to prevent unauthorized downloads or modifications in the future.
  • Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.
  • Update detection mechanisms to monitor for similar download attempts and unauthorized modifications to critical authentication components.

References

Related rules

to-top