Modification of Standard Authentication Module or Configuration

edit

Modification of Standard Authentication Module or Configuration

edit

Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.

Rule type: query

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • macOS
  • Linux
  • Threat Detection
  • Credential Access
  • Persistence

Version: 3 (version history)

Added (Elastic Stack release): 7.12.0

Last modified (Elastic Stack release): 8.4.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.

Rule query

edit
event.category:file and event.type:change and (file.name:pam_*.so
or file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and
process.executable: (* and not ( /bin/yum or
"/usr/sbin/pam-auth-update" or /usr/libexec/packagekitd or
/usr/bin/dpkg or /usr/bin/vim or
/usr/libexec/xpcproxy or /usr/bin/bsdtar or
/usr/local/bin/brew or /usr/bin/rsync or /usr/bin/yum
or /var/lib/docker/*/bin/yum or
/var/lib/docker/*/bin/dpkg or
./merged/var/lib/docker/*/bin/dpkg or "/System/Library/Private
Frameworks/PackageKit.framework/Versions/A/XPCServices/package_script_
service.xpc/Contents/MacOS/package_script_service" ) ) and
not file.path: ( /tmp/snap.rootfs_*/pam_*.so or
/tmp/newroot/lib/*/pam_*.so or /private/var/folders/*/T/com
.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*
.so or /tmp/newroot/usr/lib64/security/pam_*.so )

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 3 (8.4.0 release)
  • Formatting only
Version 2 (7.13.0 release)
  • Updated query, changed from:

    event.category:file and event.type:change and (file.name:pam_*.so or
    file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and
    process.executable: (* and not ( /bin/yum or "/usr/sbin/pam-auth-
    update" or /usr/libexec/packagekitd or /usr/bin/dpkg or /usr/bin/vim
    or /usr/libexec/xpcproxy or /usr/bin/bsdtar or /usr/local/bin/brew ) )