Goal

Detect processes hooking PAM authentication with the purpose of stealing credentials.

Strategy

The detection monitors system processes for the presence of eBPF programs that intercept and manipulate Linux PAM (Pluggable Authentication Modules) authentication calls. It specifically focuses on identifying any unauthorized eBPF programs that may be used to steal user credentials during the authentication process.

Triage and response

1. Review the BPF programs that are loaded on the system.
2. Terminate any BPF programs that are unexpected to prevent further credential theft.
3. Use related signals and other logs to find and repair the root cause.
4. Determine if any user credentials were potentially compromised during the time frame when the unauthorized eBPF program(s) were active. Rotate any affected credentials.

Requires Agent version 7.34 or later.