Linux Detection Engineering - Approaching The Summit On Persistence Mechanisms

2025-02-15

In this article, we delve into advanced Linux persistence mechanisms, focusing on techniques such as Pluggable Authentication Modules (PAM) backdoors, malicious `pam_exec` usage, DPKG & RPM package abuse, and Docker-based container persistence. The blog provides a comprehensive breakdown of how these techniques work, how to set them up, and how to detect and hunt for them using Elastic’s SIEM and Endpoint rules, as well as ESQL and OSQuery hunts.

Key Techniques and Commands:

1. PAM Backdoor:

Setup: Modify the PAM configuration to include a malicious shared object.

echo "auth required pam_unix.so" >> /etc/pam.d/common-auth
echo "auth optional pam_exec.so /path/to/malicious/script" >> /etc/pam.d/common-auth

Detection: Monitor for unexpected changes in PAM configuration files.
```
sudo diff /etc/pam.d/common-auth /etc/pam.d/common-auth.bak
```

2. Malicious `pam_exec` Usage:

Setup: Use `pam_exec` to execute a script during authentication.

echo "session optional pam_exec.so /path/to/malicious/script" >> /etc/pam.d/common-session

Detection: Check for unusual scripts referenced in PAM configurations.
```
grep pam_exec /etc/pam.d/*
```

3. DPKG & RPM Package Abuse:

Setup: Create a malicious package that installs a backdoor.

fpm -s dir -t deb -n malicious-pkg -v 1.0 --after-install /path/to/malicious/script /path/to/install

Detection: Verify package integrity and contents.
```
dpkg -V malicious-pkg
rpm -V malicious-pkg
```

4. Docker-Based Container Persistence:

Setup: Use a Docker container to maintain persistence.

docker run -d --name malicious-container --restart always malicious-image

Detection: Monitor for unusual container activity.

docker ps --no-trunc
docker logs malicious-container

What Undercode Say:

Linux persistence mechanisms are a critical area of focus for security professionals. Understanding how attackers can maintain access to systems through techniques like PAM backdoors, malicious `pam_exec` usage, package abuse, and Docker-based persistence is essential for effective detection and response.

To detect these threats, it’s important to regularly monitor system configurations, verify package integrity, and scrutinize container activity. Tools like Elastic’s SIEM and Endpoint rules, along with ESQL and OSQuery, provide powerful capabilities for hunting and detecting these persistence mechanisms.

In addition to the techniques discussed, consider the following commands to enhance your Linux security posture:

Audit PAM Modules:

sudo auditctl -w /etc/pam.d/ -p wa -k pam_config

Check for Unauthorized Packages:

dpkg --verify | grep -v '^$'
rpm -Va | grep -v '^$'

Monitor Docker Containers:
```
docker events --filter 'event=create'
```

System Log Analysis:

sudo grep -i "authentication failure" /var/log/auth.log

File Integrity Monitoring:
```
sudo aide --check
```

By combining these commands with a robust security strategy, you can significantly reduce the risk of persistence-based attacks on your Linux systems. For further reading, explore the original blog post and the PANIX tool on GitHub: