Name Service Switch configuration modified

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1556-modify-authentication-process

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect modifications to nsswitch.conf.

Strategy

The Name Service Switch (nsswitch) configuration file is used to point system services and other applications to the sources of name-service information. This name-service information includes where the password file is stored, publickey information, and more. An attacker may attempt to modify nsswitch.conf in order to inject attacker-owned information into the authentication process. For instance, the attacker could point to a malicious password file and then login to privileged user accounts.

Triage and response

  1. Check to see what changes were made to nsswitch.conf.
  2. Check if critical name-service sources were changed, and whether the changes were a part of known system-setup or maintenance.
  3. If these changes are unauthorized, roll back the host in question to a known good nsswitch.conf, or replace the system with a known-good system image.

Requires Agent version 7.27 or greater