Pluggable Authentication Module (PAM) Source Download

About

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Credential AccessTactic: PersistenceData Source: Elastic DefendData Source: Elastic EndgameData Source: CrowdstrikeLanguage: eql

Severity

low

Risk Score

21

MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

↳ Create or Modify System Process (T1543)(external, opens in a new tab or window)

Credential Access (TA0006)(external, opens in a new tab or window)

↳ Modify Authentication Process (T1556)(external, opens in a new tab or window)

False Positive Examples

Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-endpoint.events.process*endgame-*logs-crowdstrike.fdr*

Related Integrations

endpoint(external, opens in a new tab or window)

crowdstrike(external, opens in a new tab or window)

Query

✄𐘗
text code block:
✄𐘗process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "ProcessRollup2") and
process.name in ("curl", "wget") and
process.args like~ "https://github.com/linux-pam/linux-pam/releases/download/v*/Linux-PAM-*.tar.xz"