可插拔身份验证模块或配置的创建或修改
编辑可插拔身份验证模块或配置的创建或修改
编辑此规则监控可插拔身份验证模块 (PAM) 共享对象文件或配置文件的创建或修改。攻击者可能会创建或修改这些文件以在受感染的系统上保持持久性,或窃取帐户凭据。
规则类型: eql
规则索引:
- logs-endpoint.events.file*
严重性: 中等
风险评分: 47
每隔: 5m
搜索索引时间范围: now-9m (日期数学格式,另请参阅 额外回溯时间
)
每次执行的最大告警数: 100
参考:
标签:
- 域:端点
- 操作系统:Linux
- 用例:威胁检测
- 战术:凭据访问
- 战术:持久性
- 数据源:Elastic Defend
版本: 2
规则作者:
- Elastic
规则许可证: Elastic License v2
规则查询
编辑file where host.os.type == "linux" and event.action in ("rename", "creation") and process.executable != null and ( (file.path : ("/lib/security/*", "/lib64/security/*", "/usr/lib/security/*", "/usr/lib64/security/*", "/usr/lib/x86_64-linux-gnu/security/*") and file.extension == "so") or (file.path : "/etc/pam.d/*" and file.extension == null) or (file.path : "/etc/security/pam_*" or file.path == "/etc/pam.conf") ) and not ( process.executable in ( "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/sbin/pam-auth-update", "/usr/lib/systemd/systemd", "/usr/libexec/packagekitd", "/usr/bin/bsdtar", "/sbin/pam-auth-update" ) or file.path : ( "/tmp/snap.rootfs_*/pam_*.so", "/tmp/newroot/lib/*/pam_*.so", "/tmp/newroot/usr/lib64/security/pam_*.so" ) or file.extension in ("swp", "swpx", "swx", "dpkg-remove") or file.Ext.original.extension == "dpkg-new" or process.executable : ( "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*" ) or (process.name == "sed" and file.name : "sed*") or (process.name == "perl" and file.name : "e2scrub_all.tmp*") )
框架: MITRE ATT&CKTM
-
战术
- 名称:持久性
- ID:TA0003
- 参考网址:https://attack.mitre.org/tactics/TA0003/
-
技术
- 名称:创建或修改系统进程
- ID:T1543
- 参考网址:https://attack.mitre.org/techniques/T1543/
-
战术
- 名称:凭据访问
- ID:TA0006
- 参考网址:https://attack.mitre.org/tactics/TA0006/
-
技术
- 名称:修改身份验证过程
- ID:T1556
- 参考网址:https://attack.mitre.org/techniques/T1556/