This article discusses advanced persistence techniques affecting Linux systems through the abuse of Pluggable Authentication Modules (PAM), package managers (DPKG and RPM), and Docker containers. Each technique showcases how attackers can establish and maintain unauthorized access, highlighting methods for detection and mitigation. Affected: Linux systems, PAM modules, DPKG, RPM, Docker containers
Keypoints :
- The article is part four of a Linux Persistence Detection Engineering series, focusing on creative persistence mechanisms.
- PAM modules can be manipulated to allow unauthorized access through custom or modified PAM configurations.
- Attackers can also utilize DPKG and RPM package managers to execute malicious code during installation or updates.
- Docker containers can provide a means to escape to the host through misconfigurations and privilege escalations.
- PANIX, a custom-built Linux persistence tool, is leveraged for testing and simulating these persistence techniques.
- Detection rules and hunting strategies are discussed for identifying and responding to these persistence mechanisms.
MITRE Techniques :
- T1556.003 – Pluggable Authentication Modules: Malicious PAM – Custom malicious PAM modules can manipulate authentication processes to establish backdoor access.
- T1546.016 – Installer Packages: DPKG & RPM – Attackers can insert malicious codes in DPKG and RPM lifecycle scripts to gain initial access or persistence.
- T1610 – Deploy Container: Malicious Docker Container – Creating malicious Docker containers that exploit host vulnerabilities or misconfigurations to enable unauthorized access.
Indicator of Compromise :
- [Hash] 9543f7ce4c6a8defcad36358f00eb4d38a85a8688cc8ecd5f15a5a2d3f43383b
- [File] /usr/local/bin/pamexecbackdoor.sh
- [File] /etc/pam.d/sshd
- [File] /var/lib/dpkg/info/panix.postinst
- [File] /usr/local/bin/escape.sh
Full Story: https://www.elastic.co/security-labs/approaching-the-summit-on-persistence