Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Linux Keylogging with Pam.d

Detect attempt to enable auditing of TTY input

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Pawel MazurCreated Mon May 24Updated Sun Dec 1849aae26c-450e-448b-911d-b3c13d178dfclinux
Log Source
Linuxauditd
ProductLinux← raw: linux
Serviceauditd← raw: auditd
Detection Logic
Detection Logic2 selectors
detection:
    selection_path_events:
        type: PATH
        name:
            - '/etc/pam.d/system-auth'
            - '/etc/pam.d/password-auth'
    selection_tty_events:
        type:
            - 'TTY'
            - 'USER_TTY'
    condition: 1 of selection_*
False Positives

Administrative work

References
1
Resolving title…
github.com
2
Resolving title…
linux.die.net
3
Resolving title…
access.redhat.com
4
Resolving title…
access.redhat.com
MITRE ATT&CK
Rule Metadata
Rule ID
49aae26c-450e-448b-911d-b3c13d178dfc
Status
test
Level
high
Type
Detection
Created
Mon May 24
Modified
Sun Dec 18
Author
Pawel Mazur
Path
rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml
Raw Tags
attack.collectionattack.credential-accessattack.t1003attack.t1056.001
View on GitHub