Skip to content

Commit fcd2086

Browse files
AegrahAegrah
committed
Fixed notes
1 parent fada8a1 commit fcd2086

File tree

2 files changed

+3
-5
lines changed

2 files changed

+3
-5
lines changed

hunting/linux/docs/persistence_via_pluggable_authentication_module.md

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@
1616

1717
```sql
1818
from logs-endpoint.events.file-*
19+
| keep @timestamp, host.os.type, event.type, event.action, file.path, process.executable, agent.id
1920
| where @timestamp > now() - 7 days
2021
| where host.os.type == "linux" and event.action in ("rename", "creation") and (
2122
file.path like "/lib/security/*" or
@@ -81,8 +82,6 @@ AND (mtime > strftime('%s', 'now') - (7 * 86400)); -- Modified in the last 7 day
8182
- This hunt identifies suspicious file creation or modification events in PAM directories, such as /etc/pam.d/, /lib/security/, and related paths.
8283
- Uses ES|QL queries to track file events and identify potentially malicious activity based on process activity and file paths.
8384
- Complemented by OSQuery queries to provide detailed file metadata for modified PAM-related files, including timestamps and ownership information.
84-
- The hunt focuses on minimizing false positives by excluding common legitimate processes while tagging unusual activity.
85-
- MITRE ATT&CK Technique T1556.003 (Modify Authentication Process: Pluggable Authentication Modules) is addressed in this hunt.
8685

8786
## MITRE ATT&CK Techniques
8887

hunting/linux/queries/persistence_via_pluggable_authentication_module.toml

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,15 +12,14 @@ notes = [
1212
"PAM modules are critical to Linux authentication workflows, but they can be abused to establish persistence or execute malicious actions.",
1313
"This hunt identifies suspicious file creation or modification events in PAM directories, such as /etc/pam.d/, /lib/security/, and related paths.",
1414
"Uses ES|QL queries to track file events and identify potentially malicious activity based on process activity and file paths.",
15-
"Complemented by OSQuery queries to provide detailed file metadata for modified PAM-related files, including timestamps and ownership information.",
16-
"The hunt focuses on minimizing false positives by excluding common legitimate processes while tagging unusual activity.",
17-
"MITRE ATT&CK Technique T1556.003 (Modify Authentication Process: Pluggable Authentication Modules) is addressed in this hunt."
15+
"Complemented by OSQuery queries to provide detailed file metadata for modified PAM-related files, including timestamps and ownership information."
1816
]
1917
mitre = ["T1556.003"]
2018

2119
query = [
2220
'''
2321
from logs-endpoint.events.file-*
22+
| keep @timestamp, host.os.type, event.type, event.action, file.path, process.executable, agent.id
2423
| where @timestamp > now() - 7 days
2524
| where host.os.type == "linux" and event.action in ("rename", "creation") and (
2625
file.path like "/lib/security/*" or

0 commit comments

Comments
 (0)