Linux Keylogging with Pam.d
Detect attempt to enable auditing of TTY input
Sigma rule (View on GitHub)
1title: Linux Keylogging with Pam.d
2id: 49aae26c-450e-448b-911d-b3c13d178dfc
3status: test
4description: Detect attempt to enable auditing of TTY input
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md
7 - https://linux.die.net/man/8/pam_tty_audit
8 - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing
9 - https://access.redhat.com/articles/4409591#audit-record-types-2
10author: 'Pawel Mazur'
11date: 2021-05-24
12modified: 2022-12-18
13tags:
14 - attack.credential-access
15 - attack.t1003
16 - attack.t1056.001
17logsource:
18 product: linux
19 service: auditd
20detection:
21 selection_path_events:
22 type: PATH
23 name:
24 - '/etc/pam.d/system-auth'
25 - '/etc/pam.d/password-auth'
26 selection_tty_events:
27 type:
28 - 'TTY'
29 - 'USER_TTY'
30 condition: 1 of selection_*
31falsepositives:
32 - Administrative work
33level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
-
The Audit System Reference provides lists of supported Audit event fields and record types in RHEL 7 and RHEL 8.
Read More
Related rules
- Access To Crypto Currency Wallets By Uncommon Applications
- Capture Credentials with Rpcping.exe
- Credential Manager Access By Uncommon Applications
- Esentutl Gather Credentials
- HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump