[Rule Tuning] Creation or Modification of Pluggable Authentication Module or Configuration (#5421)

Aegrah · web-flow · commit 7aacebba0228 · 2025-12-08T18:54:23.000+05:30
diff --git a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/12/21"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/12/08"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Modification of Standard Authentication Module or Configuration"
+name = "Deprecated - Modification of Standard Authentication Module or Configuration"
 references = [
     "https://github.com/zephrax/linux-pam-backdoor",
     "https://github.com/eurialo/pambd",
@@ -39,7 +39,6 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "new_terms"
-
 query = '''
 event.category:file and event.type:change and
   (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/* or /usr/lib64/security/*)) and
@@ -74,7 +73,7 @@ note = """## Triage and analysis
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Modification of Standard Authentication Module or Configuration
+### Investigating Deprecated - Modification of Standard Authentication Module or Configuration
 
 Authentication modules, such as PAM (Pluggable Authentication Modules), are crucial for managing user authentication in Linux and macOS environments. Adversaries may exploit these by altering module files or configurations to gain unauthorized access or escalate privileges. The detection rule identifies suspicious changes to these modules, excluding legitimate processes and paths, to flag potential unauthorized modifications.
 
diff --git a/rules/linux/persistence_pluggable_authentication_module_creation.toml b/rules/linux/persistence_pluggable_authentication_module_creation.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/03/06"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/12/08"
 
 [rule]
 author = ["Elastic"]
@@ -42,12 +42,12 @@ type = "eql"
 query = '''
 file where host.os.type == "linux" and event.action in ("rename", "creation") and
 process.executable != null and (
-  (file.path like~ (
+  (file.path like (
     "/lib/security/*", "/lib64/security/*", "/usr/lib/security/*", "/usr/lib64/security/*",
     "/lib/x86_64-linux-gnu/security/*", "/usr/lib/x86_64-linux-gnu/security/*"
   ) and file.extension == "so") or
-  (file.path like~ "/etc/pam.d/*" and file.extension == null) or
-  (file.path like~ "/etc/security/pam_*" or file.path == "/etc/pam.conf")
+  (file.path like "/etc/pam.d/*" and file.extension == null) or
+  (file.path like "/etc/security/pam_*" or file.path == "/etc/pam.conf")
 ) and not (
   process.executable in (
     "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf",
@@ -58,18 +58,23 @@ process.executable != null and (
     "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client",
     "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*",  "/usr/bin/pamac-daemon",
     "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/sbin/pam-auth-update",
-    "/usr/lib/systemd/systemd", "/usr/libexec/packagekitd", "/usr/bin/bsdtar", "/sbin/pam-auth-update"
+    "/usr/lib/systemd/systemd", "/usr/libexec/packagekitd", "/usr/bin/bsdtar", "/sbin/pam-auth-update", "./user/bin/podman",
+    "/usr/bin/dnf5", "/opt/puppetlabs/puppet/bin/ruby", "/usr/bin/crio", "/sbin/authconfig", "/usr/sbin/yum-cron",
+    "/sbin/yum-cron", "/usr/local/psa/bin/dnf_install", "/opt/jc/bin/jumpcloud-agent"
+
   ) or
   file.path like (
     "/tmp/snap.rootfs_*/pam_*.so", "/tmp/newroot/lib/*/pam_*.so", "/tmp/newroot/usr/lib64/security/pam_*.so"
   ) or
   file.extension in ("swp", "swpx", "swx", "dpkg-remove") or
   file.Ext.original.extension == "dpkg-new" or
   process.executable like (
-    "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*"
+    "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*", "/usr/bin/python*",
+    "/opt/alt/python*/bin/python*", "/usr/libexec/platform-python*", "./snap/snapd/*/usr/lib/snapd/snap-update-ns"
   ) or
   (process.name == "sed" and file.name like~ "sed*") or
-  (process.name == "perl" and file.name like~ "e2scrub_all.tmp*")
+  (process.name == "perl" and file.name like~ "e2scrub_all.tmp*") or
+  (process.name == "perl" and event.action == "rename" and file.Ext.original.name like "*.pam-new")
 )
 '''
 note = """## Triage and analysis
