
Summary
This detection rule aims to identify attempts to enable keylogging capabilities through the use of PAM (Pluggable Authentication Module) configuration files on Linux systems. The rule specifically checks for modifications in critical PAM configuration files, such as '/etc/pam.d/system-auth' and '/etc/pam.d/password-auth', which may indicate an unauthorized attempt to log user keystrokes. The detection logic uses 'PATH' events to monitor changes in specified configuration files and 'TTY' events to capture key entry interactions. If the system detects any relevant modifications or TTY activities that meet the defined selection criteria, it triggers an alert, indicating a potential keylogging attempt. This rule highlights the importance of monitoring PAM configurations as these are vital in maintaining system security and preventing unauthorized access to sensitive information.
Categories
- Linux
- Endpoint
Data Sources
- User Account
- Application Log
ATT&CK Techniques
- T1056.001
Created: 2021-05-24