Authentication via Unusual PAM Grantor
This rule detects successful authentications via PAM grantors that are not commonly used. This could indicate an attacker is attempting to escalate privileges or maintain persistence on the system by modifying the default PAM configuration.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/06"
3integration = ["auditd_manager"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects successful authentications via PAM grantors that are not commonly used. This could indicate an
11attacker is attempting to escalate privileges or maintain persistence on the system by modifying the default PAM
12configuration.
13"""
14from = "now-9m"
15index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Authentication via Unusual PAM Grantor"
19risk_score = 47
20rule_id = "a8aaa49d-9834-462d-bf8f-b1255cebc004"
21setup = """## Setup
22This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.
Kibana --> Management --> Integrations --> Auditd Manager --> Add Auditd Manager
1`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
2For this detection rule to trigger, no additional configuration is required.
3"""
4severity = "medium"
5tags = [
6 "Domain: Endpoint",
7 "OS: Linux",
8 "Use Case: Threat Detection",
9 "Tactic: Credential Access",
10 "Tactic: Persistence",
11 "Data Source: Auditd Manager",
12 "Resources: Investigation Guide",
13]
14timestamp_override = "event.ingested"
15type = "new_terms"
16
17query = '''
18event.category:authentication and host.os.type:linux and event.action:authenticated and event.outcome:success and
19auditd.data.grantors:(* and not (pam_rootok or *pam_cap* or *pam_permit*))
20'''
21note = """## Triage and analysis
22
23> **Disclaimer**:
24> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
25
26### Investigating Authentication via Unusual PAM Grantor
27
28Pluggable Authentication Modules (PAM) are integral to Linux systems, managing authentication tasks. Adversaries may exploit uncommon PAM grantors to escalate privileges or maintain persistence by altering default configurations. The detection rule identifies successful authentications using atypical PAM grantors, signaling potential unauthorized access or configuration tampering.
29
30### Possible investigation steps
31
32- Review the specific PAM grantor involved in the authentication event to determine if it is known or expected in your environment.
33- Check the user account associated with the authentication event for any signs of compromise or unusual activity, such as recent changes in permissions or unexpected login times.
34- Investigate the source IP address and hostname of the authentication event to verify if it is a recognized and authorized system within your network.
35- Examine recent changes to the PAM configuration files on the affected host to identify any unauthorized modifications or additions.
36- Correlate this event with other security alerts or logs from the same host or user to identify potential patterns of malicious activity.
37- Consult with system administrators or relevant personnel to confirm if the use of the unusual PAM grantor was part of a legitimate change or update.
38
39### False positive analysis
40
41- Custom PAM modules: Organizations may use custom PAM modules for specific applications or security policies. Review these modules to ensure they are legitimate and add them to an exception list if they are frequently triggering alerts.
42- Administrative scripts: Some administrative scripts might use non-standard PAM grantors for automation purposes. Verify the scripts' legitimacy and consider excluding them from the rule if they are part of routine operations.
43- Third-party software: Certain third-party software may install or use uncommon PAM grantors as part of their authentication process. Validate the software's authenticity and add its grantors to an exception list if they are known to be safe.
44- Development environments: In development or testing environments, developers might experiment with different PAM configurations. Ensure these environments are properly isolated and consider excluding them from the rule to avoid unnecessary alerts.
45
46### Response and remediation
47
48- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
49- Review the PAM configuration files on the affected system to identify and revert any unauthorized changes to the grantors. Ensure only legitimate PAM modules are in use.
50- Terminate any suspicious or unauthorized processes that may have been initiated by the attacker to maintain persistence or escalate privileges.
51- Conduct a thorough review of user accounts and privileges on the affected system to identify any unauthorized changes or newly created accounts. Revoke any unauthorized access.
52- Restore the affected system from a known good backup if unauthorized changes cannot be easily reverted or if the system's integrity is in question.
53- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
54- Implement enhanced monitoring and logging for PAM-related activities across the network to detect similar threats in the future, ensuring that alerts are promptly reviewed and acted upon."""
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1543"
61name = "Create or Modify System Process"
62reference = "https://attack.mitre.org/techniques/T1543/"
63
64
65[rule.threat.tactic]
66id = "TA0003"
67name = "Persistence"
68reference = "https://attack.mitre.org/tactics/TA0003/"
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71[[rule.threat.technique]]
72id = "T1556"
73name = "Modify Authentication Process"
74reference = "https://attack.mitre.org/techniques/T1556/"
75
76
77[rule.threat.tactic]
78id = "TA0006"
79name = "Credential Access"
80reference = "https://attack.mitre.org/tactics/TA0006/"
81
82[rule.new_terms]
83field = "new_terms_fields"
84value = ["auditd.data.grantors", "agent.id"]
85[[rule.new_terms.history_window_start]]
86field = "history_window_start"
87value = "now-14d"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Authentication via Unusual PAM Grantor
Pluggable Authentication Modules (PAM) are integral to Linux systems, managing authentication tasks. Adversaries may exploit uncommon PAM grantors to escalate privileges or maintain persistence by altering default configurations. The detection rule identifies successful authentications using atypical PAM grantors, signaling potential unauthorized access or configuration tampering.
Possible investigation steps
- Review the specific PAM grantor involved in the authentication event to determine if it is known or expected in your environment.
- Check the user account associated with the authentication event for any signs of compromise or unusual activity, such as recent changes in permissions or unexpected login times.
- Investigate the source IP address and hostname of the authentication event to verify if it is a recognized and authorized system within your network.
- Examine recent changes to the PAM configuration files on the affected host to identify any unauthorized modifications or additions.
- Correlate this event with other security alerts or logs from the same host or user to identify potential patterns of malicious activity.
- Consult with system administrators or relevant personnel to confirm if the use of the unusual PAM grantor was part of a legitimate change or update.
False positive analysis
- Custom PAM modules: Organizations may use custom PAM modules for specific applications or security policies. Review these modules to ensure they are legitimate and add them to an exception list if they are frequently triggering alerts.
- Administrative scripts: Some administrative scripts might use non-standard PAM grantors for automation purposes. Verify the scripts' legitimacy and consider excluding them from the rule if they are part of routine operations.
- Third-party software: Certain third-party software may install or use uncommon PAM grantors as part of their authentication process. Validate the software's authenticity and add its grantors to an exception list if they are known to be safe.
- Development environments: In development or testing environments, developers might experiment with different PAM configurations. Ensure these environments are properly isolated and consider excluding them from the rule to avoid unnecessary alerts.
Response and remediation
- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
- Review the PAM configuration files on the affected system to identify and revert any unauthorized changes to the grantors. Ensure only legitimate PAM modules are in use.
- Terminate any suspicious or unauthorized processes that may have been initiated by the attacker to maintain persistence or escalate privileges.
- Conduct a thorough review of user accounts and privileges on the affected system to identify any unauthorized changes or newly created accounts. Revoke any unauthorized access.
- Restore the affected system from a known good backup if unauthorized changes cannot be easily reverted or if the system's integrity is in question.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
- Implement enhanced monitoring and logging for PAM-related activities across the network to detect similar threats in the future, ensuring that alerts are promptly reviewed and acted upon.
Related rules
- Creation or Modification of Pluggable Authentication Module or Configuration
- Kernel Driver Load
- Kernel Driver Load by non-root User
- Kernel Load or Unload via Kexec Detected
- Kernel Module Load via insmod