security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Pluggable Authentication Module Creation in Unusual Directory (#4302)

Browse Source 
* [New Rule] Pluggable Authentication Module Creation in Unusual Directory

* Update persistence_pluggable_authentication_module_creation_in_unusual_dir.toml

* Update rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml
This commit is contained in:
Ruben Groenewoud
2025-01-03 14:35:08 +01:00
committed by GitHub
parent 5384191934
commit c7fe940206
1 changed files with 82 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml
+82
View File
@@ -0,0 +1,82 @@
[metadata]
creation_date = "2024/12/16"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/12/16"
[rule]
author = ["Elastic"]
description = """
This rule detects the creation of Pluggable Authentication Module (PAM) shared object files in unusual directories.
Attackers may compile PAM shared object files in temporary directories, to move them to system directories later,
potentially allowing them to maintain persistence on a compromised system, or harvest account credentials.
"""
false_positives = [
"Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.",
]
from = "now-9m"
index = ["logs-endpoint.events.file*"]
language = "eql"
license = "Elastic License v2"
name = "Pluggable Authentication Module (PAM) Creation in Unusual Directory"
references = [
"https://github.com/zephrax/linux-pam-backdoor",
"https://github.com/eurialo/pambd",
"http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html",
"https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html",
]
risk_score = 21
rule_id = "5c832156-5785-4c9c-a2e7-0d80d2ba3daa"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Tactic: Persistence",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.type == "creation" and file.name like "pam_*.so" and not file.path like (
"/lib/security/*",
"/lib64/security/*",
"/lib/x86_64-linux-gnu/security/*",
"/usr/lib/security/*",
"/usr/lib64/security/*",
"/usr/lib/x86_64-linux-gnu/security/*"
) and not (
process.name in ("dockerd", "containerd", "steam", "buildkitd", "unsquashfs", "pacman") or
file.path like (
"/build/rootImage/nix/store/*", "/home/*/.local/share/containers/*", "/nix/store/*", "/var/lib/containerd/*",
"/var/snap/*", "/usr/share/nix/nix/store/*", "/tmp/cura/squashfs-root/*", "/home/*/docker/*", "/tmp/containerd*"
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1556"
name = "Modify Authentication Process"
reference = "https://attack.mitre.org/techniques/T1556/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"