IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Modification of Safari Settings via Defaults Command Modification of WDigest Security Provider »

› › ›

Modification of Standard Authentication Module or Configuration

edit

Modification of Standard Authentication Module or Configuration

edit

Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.

Rule type: query

Rule indices:

auditbeat-*
logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Host
macOS
Linux
Threat Detection
Credential Access
Persistence

Version: 2 (version history)

Added (Elastic Stack release): 7.12.0

Last modified (Elastic Stack release): 7.13.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.

Rule query

edit

event.category:file and event.type:change and (file.name:pam_*.so
or file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and
process.executable: (* and not ( /bin/yum or
"/usr/sbin/pam-auth-update" or /usr/libexec/packagekitd or
/usr/bin/dpkg or /usr/bin/vim or
/usr/libexec/xpcproxy or /usr/bin/bsdtar or
/usr/local/bin/brew or /usr/bin/rsync or /usr/bin/yum
or /var/lib/docker/*/bin/yum or
/var/lib/docker/*/bin/dpkg or
./merged/var/lib/docker/*/bin/dpkg or "/System/Library/Private
Frameworks/PackageKit.framework/Versions/A/XPCServices/package_script_
service.xpc/Contents/MacOS/package_script_service" ) ) and
not file.path: ( /tmp/snap.rootfs_*/pam_*.so or
/tmp/newroot/lib/*/pam_*.so or /private/var/folders/*/T/com
.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*
.so or /tmp/newroot/usr/lib64/security/pam_*.so )

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Create or Modify System Process
- ID: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Modify Authentication Process
- ID: T1556
- Reference URL: https://attack.mitre.org/techniques/T1556/

Rule version history

edit

Version 2 (7.13.0 release)

Updated query, changed from:

event.category:file and event.type:change and (file.name:pam_*.so or
file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and
process.executable: (* and not ( /bin/yum or "/usr/sbin/pam-auth-
update" or /usr/libexec/packagekitd or /usr/bin/dpkg or /usr/bin/vim
or /usr/libexec/xpcproxy or /usr/bin/bsdtar or /usr/local/bin/brew ) )

« Modification of Safari Settings via Defaults Command Modification of WDigest Security Provider »