修改标准身份验证模块或配置

编辑

攻击者可能会修改标准身份验证模块,通过修补正常的授权过程或修改登录配置以允许未经授权的访问或提升权限来实现持久化。

规则类型: new_terms

规则索引:

  • auditbeat-*
  • logs-endpoint.events.*

严重性: 中

风险评分: 47

运行频率: 5m

搜索索引起始时间: now-9m (日期数学格式,另请参阅 额外回溯时间)

每次执行的最大警报数: 100

参考资料:

标签:

  • 域:端点
  • 操作系统:macOS
  • 操作系统:Linux
  • 用例:威胁检测
  • 战术:凭证访问
  • 战术:持久化
  • 数据源:Elastic Defend

版本: 204

规则作者:

  • Elastic

规则许可证: Elastic License v2

规则查询

编辑
event.category:file and event.type:change and
  (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/* or /usr/lib64/security/*)) and
  process.executable:
    (* and
      not
      (
        /usr/libexec/packagekitd or
        /usr/bin/vim or
        /usr/libexec/xpcproxy or
        /usr/bin/bsdtar or
        /usr/local/bin/brew or
        "/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service"
      )
    ) and
  not file.path:
         (
           /tmp/snap.rootfs_*/pam_*.so or
           /tmp/newroot/lib/*/pam_*.so or
           /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or
           /tmp/newroot/usr/lib64/security/pam_*.so
         ) and
  not process.name:
         (
           yum or dnf or rsync or platform-python or authconfig or rpm or pdkg or apk or dnf-automatic or btrfs or
           dpkg or pam-auth-update or steam or platform-python3.6 or pam-config or microdnf or yum_install or yum-cron or
           systemd or containerd or pacman
         )

框架: MITRE ATT&CKTM