Modification of Standard Authentication Module or Configuration

edit

Modification of Standard Authentication Module or Configuration

edit

Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.

Rule type: query

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • macOS
  • Linux
  • Threat Detection
  • Credential Access
  • Persistence

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.

Rule query

edit
event.category:file and event.type:change and (file.name:pam_*.so or
file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and
process.executable: (* and not ( /bin/yum or "/usr/sbin/pam-auth-
update" or /usr/libexec/packagekitd or /usr/bin/dpkg or /usr/bin/vim
or /usr/libexec/xpcproxy or /usr/bin/bsdtar or /usr/local/bin/brew ) )

Threat mapping

edit

Framework: MITRE ATT&CKTM