Pluggable Authentication Module (PAM) Version Discovery

About

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: DiscoveryTactic: PersistenceTactic: Credential AccessData Source: Elastic DefendData Source: Elastic EndgameData Source: CrowdstrikeData Source: SentinelOneLanguage: eql

Severity

low

Risk Score

21

MITRE ATT&CK™

Discovery (TA0007)(opens in a new tab or window)

↳ System Information Discovery (T1082)(opens in a new tab or window)

Persistence (TA0003)(opens in a new tab or window)

↳ Create or Modify System Process (T1543)(opens in a new tab or window)

Credential Access (TA0006)(opens in a new tab or window)

↳ Modify Authentication Process (T1556)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-endpoint.events.*endgame-*logs-crowdstrike.fdr*logs-sentinel_one_cloud_funnel.*

Related Integrations

endpoint(opens in a new tab or window)

crowdstrike(opens in a new tab or window)

sentinel_one_cloud_funnel(opens in a new tab or window)

Query

process where host.os.type == "linux" and event.type == "start" and
  event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.parent.name != null and
  (
    (process.name in ("dpkg", "dpkg-query") and process.args == "libpam-modules") or
    (process.name == "rpm" and process.args == "pam")
  ) and
not process.parent.name in ("dcservice", "inspectorssmplugin")