Modification of Standard Authentication Module or Configurationedit

Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.

Rule type: query

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • macOS
  • Linux
  • Threat Detection
  • Credential Access
  • Persistence

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positivesedit

Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.

Rule queryedit

event.category:file and event.type:change and (file.name:pam_*.so or
file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and
process.executable: (* and not ( /bin/yum or "/usr/sbin/pam-auth-
update" or /usr/libexec/packagekitd or /usr/bin/dpkg or /usr/bin/vim
or /usr/libexec/xpcproxy or /usr/bin/bsdtar or /usr/local/bin/brew ) )

Threat mappingedit

Framework: MITRE ATT&CKTM