Detects unauthorized modifications to PAM configuration files or shared object modules. Correlates file modification events under /etc/pam.d/ or /lib/security/ with unusual authentication activity such as multiple simultaneous logins, off-hours logins, or logons without corresponding physical/VPN access.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | open, write |
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Logon Session Creation (DC0067) | NSM:Connections | simultaneous or anomalous logon sessions across multiple systems |
| Field | Description |
|---|---|
| MonitoredPaths | List of PAM configuration and module directories monitored (e.g., /etc/pam.d/, /lib/security/). |
| TimeWindow | Timeframe for correlating suspicious file modifications with anomalous login events. |
| BaselineAccounts | Expected login frequency and systems per user account; deviations may indicate compromise. |
Detects suspicious changes to macOS authorization and PAM plugin files. Correlates file modifications under /etc/pam.d/ or /Library/Security/SecurityAgentPlugins with unexpected authentication attempts or anomalous account usage.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | macos:unifiedlog | authentication plugin load or modification events |
| File Modification (DC0061) | macos:osquery | write |
| Field | Description |
|---|---|
| WatchedPlugins | Expected set of PAM and authorization plugins; unknown additions may indicate malicious insertion. |
| CorrelatedSources | Cross-correlation with VPN/physical access logs to identify impossible or anomalous login patterns. |