From 1153581ede706dd4ee657af73469f1fcfb8d7d65 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 16 Dec 2024 13:30:36 +0100 Subject: [PATCH 1/5] [New Rule] PAM Version Discovery --- .../discovery_pam_version_discovery.toml | 78 +++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 rules/linux/discovery_pam_version_discovery.toml diff --git a/rules/linux/discovery_pam_version_discovery.toml b/rules/linux/discovery_pam_version_discovery.toml new file mode 100644 index 00000000000..537d2eb59a7 --- /dev/null +++ b/rules/linux/discovery_pam_version_discovery.toml @@ -0,0 +1,78 @@ +[metadata] +creation_date = "2024/12/16" +integration = ["endpoint"] +maturity = "production" +updated_date = "2024/12/16" + +[rule] +author = ["Elastic"] +description = """ +This rule detects PAM version discovery activity on Linux systems. PAM version discovery can be an indication of an +attacker attempting to backdoor the authentication process through malicious PAM modules. +""" +from = "now-9m" +index = ["logs-endpoint.events.*", "endgame-*"] +language = "eql" +license = "Elastic License v2" +name = "PAM Version Discovery" +references = [ + "https://www.group-ib.com/blog/pluggable-authentication-module/", + "https://embracethered.com/blog/posts/2022/post-exploit-pam-ssh-password-grabbing/", +] +risk_score = 21 +rule_id = "135abb91-dcf4-48aa-b81a-5ad036b67c68" +setup = """## Setup + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( + (process.name in ("dpkg", "dpkg-query") and process.args == "libpam-modules") or + (process.name == "rpm" and process.args == "pam") +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" From c5db14c09e451abe1e4b6b0a27d865543abd61e3 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 16 Dec 2024 13:34:10 +0100 Subject: [PATCH 2/5] Update discovery_pam_version_discovery.toml --- .../discovery_pam_version_discovery.toml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/rules/linux/discovery_pam_version_discovery.toml b/rules/linux/discovery_pam_version_discovery.toml index 537d2eb59a7..3d568c8211c 100644 --- a/rules/linux/discovery_pam_version_discovery.toml +++ b/rules/linux/discovery_pam_version_discovery.toml @@ -52,6 +52,8 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", + "Tactic: Persistence", + "Tactic: "Credential Access", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", ] @@ -76,3 +78,29 @@ reference = "https://attack.mitre.org/techniques/T1082/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" From 7f560510109e60421a29914b2025b27d04c759ec Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 16 Dec 2024 13:34:40 +0100 Subject: [PATCH 3/5] Update discovery_pam_version_discovery.toml --- rules/linux/discovery_pam_version_discovery.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/discovery_pam_version_discovery.toml b/rules/linux/discovery_pam_version_discovery.toml index 3d568c8211c..fd8c960cf5e 100644 --- a/rules/linux/discovery_pam_version_discovery.toml +++ b/rules/linux/discovery_pam_version_discovery.toml @@ -53,7 +53,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Persistence", - "Tactic: "Credential Access", + "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", ] From 9bde308a02e029f1b1c8d7fcda7bdd2fc06b9292 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 16 Dec 2024 14:55:12 +0100 Subject: [PATCH 4/5] Update discovery_pam_version_discovery.toml --- rules/linux/discovery_pam_version_discovery.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/discovery_pam_version_discovery.toml b/rules/linux/discovery_pam_version_discovery.toml index fd8c960cf5e..1ec657c6b6d 100644 --- a/rules/linux/discovery_pam_version_discovery.toml +++ b/rules/linux/discovery_pam_version_discovery.toml @@ -14,7 +14,7 @@ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" -name = "PAM Version Discovery" +name = "Pluggable Authentication Module Version Discovery" references = [ "https://www.group-ib.com/blog/pluggable-authentication-module/", "https://embracethered.com/blog/posts/2022/post-exploit-pam-ssh-password-grabbing/", From 919a8c8135a2dab20b2eaeba2db5f954b5bca3f9 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Fri, 3 Jan 2025 14:16:23 +0100 Subject: [PATCH 5/5] Update rules/linux/discovery_pam_version_discovery.toml --- rules/linux/discovery_pam_version_discovery.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/discovery_pam_version_discovery.toml b/rules/linux/discovery_pam_version_discovery.toml index 1ec657c6b6d..d1a1ecdcae3 100644 --- a/rules/linux/discovery_pam_version_discovery.toml +++ b/rules/linux/discovery_pam_version_discovery.toml @@ -14,7 +14,7 @@ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" -name = "Pluggable Authentication Module Version Discovery" +name = "Pluggable Authentication Module (PAM) Version Discovery" references = [ "https://www.group-ib.com/blog/pluggable-authentication-module/", "https://embracethered.com/blog/posts/2022/post-exploit-pam-ssh-password-grabbing/",