Name Service Switch configuration modified

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1556-modify-authentication-process

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect modifications to nsswitch.conf.

Strategy

The Name Service Switch (nsswitch) configuration file is used to point system services and other applications to the sources of name-service information. This name-service information includes where the password file is stored, publickey information, and more. An attacker may attempt to modify nsswitch.conf in order to inject attacker-owned information into the authentication process. For instance, the attacker could point to a malicious password file and then login to privileged user accounts.

Triage and response

  1. Check to see what changes were made to nsswitch.conf.
  2. Check if critical name-service sources were changed, and whether the changes were a part of known system-setup or maintenance.
  3. If these changes are unauthorized, roll back the host in question to a known good nsswitch.conf, or replace the system with a known-good system image.

Requires Agent version 7.27 or greater

PREVIEWING: may/unit-testing