Techniques
Sample rules
Linux Keylogging with Pam.d
- source: sigma
- technicques:
- t1003
- t1056
- t1056.001
Description
Detect attempt to enable auditing of TTY input
Detection logic
condition: 1 of selection_*
selection_path_events:
name:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
type: PATH
selection_tty_events:
type:
- TTY
- USER_TTY