security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Potential Backdoor Execution Through PAM_EXEC (#4674)

Browse Source
This commit is contained in:
Ruben Groenewoud
2025-05-06 12:43:23 +02:00
committed by GitHub
parent 91acb4e9ce
commit eb3520a63b
1 changed files with 77 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml
+77
View File
@@ -0,0 +1,77 @@
[metadata]
creation_date = "2025/04/29"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/04/29"
[rule]
author = ["Elastic"]
description = """
This rule detects SSH session ID change followed by a suspicious SSHD child process, this may
indicate the successful execution of a potentially malicious process through the Pluggable
Authentication Module (PAM) utility. PAM is a framework used by Linux systems to authenticate
users. Adversaries may create malicious PAM modules that grant them persistence onto the
target every time a user logs in by executing a backdoor script or command.
"""
false_positives = [
"Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.",
]
from = "now-9m"
index = ["logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Backdoor Execution Through PAM_EXEC"
references = [
"https://www.elastic.co/security-labs/approaching-the-summit-on-persistence",
"https://www.group-ib.com/blog/pluggable-authentication-module/",
]
risk_score = 47
rule_id = "96f29282-ffcc-4ce7-834b-b17aee905568"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Tactic: Persistence",
"Data Source: Elastic Defend",
]
type = "eql"
query = '''
sequence by process.entity_id with maxspan=3s
[process where host.os.type == "linux" and event.type == "change" and event.action == "session_id_change" and process.name in ("ssh", "sshd")]
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name in ("ssh", "sshd") and
process.args_count == 2 and (
process.name like ("perl*", "python*", "php*", "ruby*", "lua*") or
process.executable like (
"/tmp/*", "/var/tmp/*", "/dev/shm/*", "./*", "/boot/*", "/sys/*", "/lost+found/*", "/media/*", "/proc/*",
"/var/backups/*", "/var/log/*", "/var/mail/*", "/var/spool/*") or
process.name like ".*"
)]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1556"
name = "Modify Authentication Process"
reference = "https://attack.mitre.org/techniques/T1556/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"