turbot/tailpipe-mod-aws-cloudtrail-log-detections

Benchmark: T1556.003 Modify Authentication Process: Pluggable Authentication Modules

Overview

Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.

Adversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.

Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.

Usage

Install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/tailpipe-mod-aws-cloudtrail-log-detections

Start the Powerpipe server:

powerpipe server

Open http://localhost:9033 in your browser and select T1556.003 Modify Authentication Process: Pluggable Authentication Modules.

Run this benchmark in your terminal:

powerpipe benchmark run aws_cloudtrail_log_detections.benchmark.mitre_attack_v161_ta0006_t1556_003

Snapshot and share results via Turbot Pipes:

powerpipe benchmark run aws_cloudtrail_log_detections.benchmark.mitre_attack_v161_ta0006_t1556_003 --share

Detections

Tags