Creating a Backdoor

Creating a Backdoor (Windows/Mac)

The following out-of-the-box alert rules are assigned to the (Windows/Mac) Category: CREATING A BACKDOOR.

ALERT RULE

Description

Adding a local Windows User

An alert is triggered upon opening the Local Users and Groups screen potentially to add a local user. Such an operation could indicate a potential security backdoor to be exploited later.

Creating a new user in Active Directory

An alert is triggered upon opening the Active Directory screen that is used for creating a new user. This action could indicate a potential security backdoor to be exploited later.

Enabling unauthorized access via Network Policy Server

An alert is triggered upon invoking Windows Network Policy Server which can be used to enable unauthorized access to or from a specific machine.

Opening Users and Groups Preferences on Mac

An alert is triggered upon opening the Users and Groups dialog which is part of the Preferences screens on Mac.

Resetting the password of an Active Directory user

An alert is triggered upon opening the Reset Password dialog of Active Directory in order to reset a user’s password. This action could indicate an intent to exploit a potential security backdoor by logging in to systems using the credentials of another user.

Setting up a VPN server

This alert will be triggered upon creating a new incoming connection by changing network adapter settings. The new incoming connections allows other people to access the computer and network.

Creating a Backdoor (Unix/Linux)

The following out-of-the-box alert rules are assigned to the (Unix/Linux) Category: CREATING A BACKDOOR.

ALERT RULE

Description

Adding a local user

An alert is triggered upon running the USERADD command to add a regular or power user locally on a machine. Such a local user is not exposed at the network level as are other users, and could pose a risk to system security.

Adding a local user with a duplicated user ID

An alert is triggered upon adding a new user (via USERADD command) with the user ID (UID) of another user that already exists on the system. The new user can log in using his own password and perform actions as if they were performed by another user.

Changing a program to a SETUID program

An alert is triggered upon trying to change a program to be a SETUID program (via CHMOD command) which can provide root permissions.

Editing PASSWD, GROUP, SHADOW, PROFILE files

An alert is triggered when a PASSWD, GROUP, SHADOW or PROFILE file is edited. 

Modifying root cron job

An alert is triggered upon using the CRONTAB command with the -e option with root permissions, to modify cron jobs. This could enable potential backdoor user activity.

Setting up a VPN server

This alert will be triggered upon creating a new incoming connection by changing network adapter settings. The new incoming connections allows other people to access the computer and network.