PAM authentication library hooked using eBPF
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect processes hooking PAM authentication with the purpose of stealing credentials.
Strategy
The detection monitors system processes for the presence of eBPF programs that intercept and manipulate Linux PAM (Pluggable Authentication Modules) authentication calls. It specifically focuses on identifying any unauthorized eBPF programs that may be used to steal user credentials during the authentication process.
Triage and response
- Review the BPF programs that are loaded on the system.
- Terminate any BPF programs that are unexpected to prevent further credential theft.
- Use related signals and other logs to find and repair the root cause.
- Determine if any user credentials were potentially compromised during the time frame when the unauthorized eBPF program(s) were active. Rotate any affected credentials.
Requires Agent version 7.34 or later.
