Backdoor admin accounts
Backdoors are a method for bypassing normal authentication systems, and are used to secure remote access to a system.
Backdoor admin account incidents surface event patterns that indicate an actor might have created or modified a configuration to enable the continued use of a privileged account.
Investigation
In the following incident, you can see that a shell was used to modify /etc/passwd, potentially enabling an attacker to add or change a user account. In addition, there was other suspicious process activity that made a copy of /etc/passwd.
The first step in an investigation is to validate that the changes represent a bona fide security incident.
In this case, the events that led to the incident seem to indicate a valid security incident, but you should examine the changes to /etc/passwd to see if they represent the potential for an attacker to maintain persistence.
Having determined that this is a bona fide incident, then the next steps focus on determining how an attacker was able to modify the system configuration.
This would, generally, be a post-compromise approach to maintain access to the compromised systems.
Check Incident Explorer for additional incidents, such as hijacked processes.
Review additional runtime audits for the source to see if there are other clues.
Review access to the container and ensure that the affected account(s) weren’t subsequently used for further access to systems and data.
Mitigation
A full mitigation strategy for this incident begins with resolving the issues that allowed the attacker to modify the system configuration.
Ensure that compliance benchmarks are appropriately applied to the affected resources. For example, if the critical file systems in the container are mounted read-only, it will be more difficult for an attacker to change a configuration to their advantage.
