[New Hunt] Linux PAM Persistence

Author: Aegrah

hunting/index.md

@@ -42,6 +42,7 @@ Here are the queries currently available:
 - [Persistence via Cron](./linux/docs/persistence_via_cron.md) (ES|QL)
 - [Persistence via Message-of-the-Day](./linux/docs/persistence_via_message_of_the_day.md) (ES|QL)
 - [Persistence via Package Manager](./linux/docs/persistence_via_package_manager.md) (ES|QL)
+- [Persistence via Pluggable Authentication Modules](./linux/docs/persistence_via_pluggable_authentication_module.md) (ES|QL)
 - [Persistence via SSH Configurations and/or Keys](./linux/docs/persistence_via_ssh_configurations_and_keys.md) (ES|QL)
 - [Persistence via System V Init](./linux/docs/persistence_via_sysv_init.md) (ES|QL)
 - [Persistence via Systemd (Timers)](./linux/docs/persistence_via_systemd_timers.md) (ES|QL)

hunting/index.yml

@@ -220,6 +220,11 @@ linux:
     mitre:
     - T1037.004
     - T1546.003
+  2a3c46b8-7bd6-4bc4-a4a8-a1af114ea152:
+    name: Persistence via Pluggable Authentication Modules
+    path: ./linux/queries/persistence_via_pluggable_authentication_module.toml
+    mitre:
+    - T1556.003
 okta:
   0b936024-71d9-11ef-a9be-f661ea17fbcc:
     name: Failed OAuth Access Token Retrieval via Public Client App

hunting/linux/docs/persistence_via_pluggable_authentication_module.md

@@ -0,0 +1,93 @@
+# Persistence via Pluggable Authentication Modules
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** This hunt identifies potential persistence mechanisms leveraging Pluggable Authentication Modules (PAM) on Linux systems. PAM is a powerful framework for managing authentication-related tasks, but its flexibility can be abused by attackers to introduce malicious modules or modify configurations to gain unauthorized access or establish persistence. This hunt monitors for modifications to PAM-related files, directories, and modules.
+
+- **UUID:** `2a3c46b8-7bd6-4bc4-a4a8-a1af114ea152`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[ES|QL, SQL]`
+- **Source File:** [Persistence via Pluggable Authentication Modules](../queries/persistence_via_pluggable_authentication_module.toml)
+
+## Query
+
+```sql
+from logs-endpoint.events.file-*
+| where @timestamp > now() - 7 days
+| where host.os.type == "linux" and event.action in ("rename", "creation") and (
+  file.path like "/lib/security/*" or
+  file.path like "/lib64/security/*" or
+  file.path like "/usr/lib64/security/*" or
+  file.path like "/usr/lib/x86_64-linux-gnu/security/*" or
+  file.path like "/lib/x86_64-linux-gnu/security/*" or
+  file.path like "/etc/pam.d/*" or
+  file.path == "/etc/pam.conf"
+)
+| stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable
+| where agent_count <= 3
+| sort cc asc
+| limit 100
+```
+
+```sql
+SELECT
+    f.filename,
+    f.path,
+    u.username AS file_owner,
+    g.groupname AS group_owner,
+    datetime(f.atime, 'unixepoch') AS file_last_access_time,
+    datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
+    datetime(f.ctime, 'unixepoch') AS file_last_status_change_time
+    datetime(f.btime, 'unixepoch') AS file_created_time,
+    f.size AS size_bytes
+FROM
+    file f
+LEFT JOIN
+    users u ON f.uid = u.uid
+LEFT JOIN
+    groups g ON f.gid = g.gid
+WHERE
+    f.path LIKE '/lib/security/%'
+    OR f.path LIKE '/lib64/security/%'
+    OR f.path LIKE '/usr/lib/security/%'
+    OR f.path LIKE '/usr/lib64/security/%'
+    OR f.path LIKE '/usr/lib/x86_64-linux-gnu/security/%'
+    OR f.path LIKE '/lib/x86_64-linux-gnu/security/%'
+    OR f.path like '/etc/pam.d/%'
+    OR f.path = '/etc/pam.conf'
+```
+
+```sql
+SELECT * FROM file
+WHERE (
+       path LIKE '/lib/security/%'
+       OR path LIKE '/lib64/security/%'
+       OR path LIKE '/usr/lib/security/%'
+       OR path LIKE '/usr/lib64/security/%'
+       OR path LIKE '/usr/lib/x86_64-linux-gnu/security/%'
+       OR path LIKE '/lib/x86_64-linux-gnu/security/%'
+       OR path like '/etc/pam.d/%'
+       OR path = '/etc/pam.conf'
+     )
+AND (mtime > strftime('%s', 'now') - (7 * 86400)); -- Modified in the last 7 days
+```
+
+## Notes
+
+- PAM modules are critical to Linux authentication workflows, but they can be abused to establish persistence or execute malicious actions.
+- This hunt identifies suspicious file creation or modification events in PAM directories, such as /etc/pam.d/, /lib/security/, and related paths.
+- Uses ES|QL queries to track file events and identify potentially malicious activity based on process activity and file paths.
+- Complemented by OSQuery queries to provide detailed file metadata for modified PAM-related files, including timestamps and ownership information.
+- The hunt focuses on minimizing false positives by excluding common legitimate processes while tagging unusual activity.
+- MITRE ATT&CK Technique T1556.003 (Modify Authentication Process: Pluggable Authentication Modules) is addressed in this hunt.
+
+## MITRE ATT&CK Techniques
+
+- [T1556.003](https://attack.mitre.org/techniques/T1556/003)
+
+## License
+
+- `Elastic License v2`

hunting/linux/queries/persistence_via_pluggable_authentication_module.toml

@@ -0,0 +1,80 @@
+[hunt]
+author = "Elastic"
+description = """
+This hunt identifies potential persistence mechanisms leveraging Pluggable Authentication Modules (PAM) on Linux systems. PAM is a powerful framework for managing authentication-related tasks, but its flexibility can be abused by attackers to introduce malicious modules or modify configurations to gain unauthorized access or establish persistence. This hunt monitors for modifications to PAM-related files, directories, and modules.
+"""
+integration = ["endpoint"]
+uuid = "2a3c46b8-7bd6-4bc4-a4a8-a1af114ea152"
+name = "Persistence via Pluggable Authentication Modules"
+language = ["ES|QL", "SQL"]
+license = "Elastic License v2"
+notes = [
+    "PAM modules are critical to Linux authentication workflows, but they can be abused to establish persistence or execute malicious actions.",
+    "This hunt identifies suspicious file creation or modification events in PAM directories, such as /etc/pam.d/, /lib/security/, and related paths.",
+    "Uses ES|QL queries to track file events and identify potentially malicious activity based on process activity and file paths.",
+    "Complemented by OSQuery queries to provide detailed file metadata for modified PAM-related files, including timestamps and ownership information.",
+    "The hunt focuses on minimizing false positives by excluding common legitimate processes while tagging unusual activity.",
+    "MITRE ATT&CK Technique T1556.003 (Modify Authentication Process: Pluggable Authentication Modules) is addressed in this hunt."
+]
+mitre = ["T1556.003"]
+
+query = [
+'''
+from logs-endpoint.events.file-*
+| where @timestamp > now() - 7 days
+| where host.os.type == "linux" and event.action in ("rename", "creation") and (
+  file.path like "/lib/security/*" or
+  file.path like "/lib64/security/*" or
+  file.path like "/usr/lib64/security/*" or
+  file.path like "/usr/lib/x86_64-linux-gnu/security/*" or
+  file.path like "/lib/x86_64-linux-gnu/security/*" or
+  file.path like "/etc/pam.d/*" or
+  file.path == "/etc/pam.conf"
+)
+| stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable
+| where agent_count <= 3
+| sort cc asc
+| limit 100
+''', 
+'''
+SELECT
+    f.filename,
+    f.path,
+    u.username AS file_owner,
+    g.groupname AS group_owner,
+    datetime(f.atime, 'unixepoch') AS file_last_access_time,
+    datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
+    datetime(f.ctime, 'unixepoch') AS file_last_status_change_time
+    datetime(f.btime, 'unixepoch') AS file_created_time,
+    f.size AS size_bytes
+FROM
+    file f
+LEFT JOIN
+    users u ON f.uid = u.uid
+LEFT JOIN
+    groups g ON f.gid = g.gid
+WHERE
+    f.path LIKE '/lib/security/%'
+    OR f.path LIKE '/lib64/security/%'
+    OR f.path LIKE '/usr/lib/security/%'
+    OR f.path LIKE '/usr/lib64/security/%'
+    OR f.path LIKE '/usr/lib/x86_64-linux-gnu/security/%'
+    OR f.path LIKE '/lib/x86_64-linux-gnu/security/%'
+    OR f.path like '/etc/pam.d/%'
+    OR f.path = '/etc/pam.conf'
+''',  
+'''
+SELECT * FROM file
+WHERE (
+       path LIKE '/lib/security/%'
+       OR path LIKE '/lib64/security/%'
+       OR path LIKE '/usr/lib/security/%'
+       OR path LIKE '/usr/lib64/security/%'
+       OR path LIKE '/usr/lib/x86_64-linux-gnu/security/%'
+       OR path LIKE '/lib/x86_64-linux-gnu/security/%'
+       OR path like '/etc/pam.d/%'
+       OR path = '/etc/pam.conf'
+     )
+AND (mtime > strftime('%s', 'now') - (7 * 86400)); -- Modified in the last 7 days
+'''
+]