-
Notifications
You must be signed in to change notification settings - Fork 515
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[New Rule] Pluggable Authentication Module Source Download (#4301)
* [New Rule] Pluggable Authentication Module Source Download * Update persistence_pluggable_authentication_module_source_download.toml * Update rules/linux/persistence_pluggable_authentication_module_source_download.toml
- Loading branch information
Showing
1 changed file
with
72 additions
and
0 deletions.
There are no files selected for viewing
72 changes: 72 additions & 0 deletions
72
rules/linux/persistence_pluggable_authentication_module_source_download.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| [metadata] | ||
| creation_date = "2024/12/16" | ||
| integration = ["endpoint"] | ||
| maturity = "production" | ||
| updated_date = "2024/12/16" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| This rule detects the usage of `curl` or `wget` to download the source code of a Pluggable Authentication Module (PAM) | ||
| shared object file. Attackers may download the source code of a PAM shared object file to create a backdoor in the | ||
| authentication process. | ||
| """ | ||
| false_positives = [ | ||
| "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.", | ||
| ] | ||
| from = "now-9m" | ||
| index = ["logs-endpoint.events.process*", "endgame-*"] | ||
| language = "eql" | ||
| license = "Elastic License v2" | ||
| name = "Pluggable Authentication Module (PAM) Source Download" | ||
| references = [ | ||
| "https://github.com/zephrax/linux-pam-backdoor", | ||
| "https://github.com/eurialo/pambd", | ||
| "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", | ||
| "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html", | ||
| ] | ||
| risk_score = 21 | ||
| rule_id = "53ef31ea-1f8a-493b-9614-df23d8277232" | ||
| severity = "low" | ||
| tags = [ | ||
| "Domain: Endpoint", | ||
| "OS: Linux", | ||
| "Use Case: Threat Detection", | ||
| "Tactic: Credential Access", | ||
| "Tactic: Persistence", | ||
| "Data Source: Elastic Defend", | ||
| "Data Source: Elastic Endgame", | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "eql" | ||
| query = ''' | ||
| process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and | ||
| process.name in ("curl", "wget") and | ||
| process.args like~ "https://github.com/linux-pam/linux-pam/releases/download/v*/Linux-PAM-*.tar.xz" | ||
| ''' | ||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
|
|
||
| [[rule.threat.technique]] | ||
| id = "T1543" | ||
| name = "Create or Modify System Process" | ||
| reference = "https://attack.mitre.org/techniques/T1543/" | ||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0003" | ||
| name = "Persistence" | ||
| reference = "https://attack.mitre.org/tactics/TA0003/" | ||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
|
|
||
| [[rule.threat.technique]] | ||
| id = "T1556" | ||
| name = "Modify Authentication Process" | ||
| reference = "https://attack.mitre.org/techniques/T1556/" | ||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0006" | ||
| name = "Credential Access" | ||
| reference = "https://attack.mitre.org/tactics/TA0006/" |