[metadata] creation_date = "2024/12/16" integration = ["endpoint"] maturity = "production" updated_date = "2024/12/16" [rule] author = ["Elastic"] description = """ This rule detects the usage of `curl` or `wget` to download the source code of a Pluggable Authentication Module (PAM) shared object file. Attackers may download the source code of a PAM shared object file to create a backdoor in the authentication process. """ false_positives = [ "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.", ] from = "now-9m" index = ["logs-endpoint.events.process*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Pluggable Authentication Module (PAM) Source Download" references = [ "https://github.com/zephrax/linux-pam-backdoor", "https://github.com/eurialo/pambd", "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html", ] risk_score = 21 rule_id = "53ef31ea-1f8a-493b-9614-df23d8277232" severity = "low" tags = [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name in ("curl", "wget") and process.args like~ "https://github.com/linux-pam/linux-pam/releases/download/v*/Linux-PAM-*.tar.xz" ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/"