Wes Lambert · @weslambert
335 followers · 34 posts · Server infosec.exchange
🦖Day 77 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Exchange.Linux.System\.PAM
Link: https://docs.velociraptor.app/exchange/artifacts/pages/linux.system.pam
----
Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts.
PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services.
----
Malicious modifications to PAM may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.
----
This artifact uses the parse_lines() plugin to parse within the '/etc/pam.d/' directory so that investigators can quickly filter and review the results for relevant or suspicious entries. The 'RecordFilter' parameter can be used to look for specific patterns or strings.
----
Here (results image), we can see an entry in '/etc/pam.d/common-auth' that executes a script called 'toomanysecrets\.sh' upon user login👀. Aside from that, the is also an entry in '/etc/pam.d/su-l' for 'pam_succeed_if' that appears to allow any user escalate to root without the password🥴!
----
For example, executing the command 'su -l root' as 'pbeesly' allows for root access without prompting for a password.
----
If we look at the contents of 'toomanysecrets\.sh', it appears to write to a log file called '/var/log/toomanysecrets.log'.
If we look at the content of the log file, we see...usernames...and...passwords! 😵💫
----
Based on what we've found, we can see how useful it can be to have the ability to search the PAM configuration for anomalies, especially across many hosts.
Overall, we can quickly glean the following information from this artifact:
- Last modified time
- File path
- Command
----
If you would like to simulate this activity yourself, try out the Atomic Red Team test below!
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md#atomic-test-1---malicious-pam-rule
If you would like to learn more about how PAM can be abused to gather usernames and passwords at login, check out the following link!
https://book.hacktricks.xyz/linux-hardening/linux-post-exploitation#sniffing-logon-passwords-with-pam
----
That's it for now! Stay tuned to learn about more artifacts! 🦖
Also, check out the MITRE ATT&CK page for 'Modify Authentication Process: Pluggable Authentication Modules' below!
https://attack.mitre.org/techniques/T1556/003/
#velociraptor #artifactsofautumn #dfir #forensics #infosec #linux #t1556 #threathunting