What the heck are processes acting on behalf of authorized users?
- Lists processes acting on behalf of authorized users,
- Logically identifies these processes,
- Limits these processes access to systems, through techniques such as,
- Authenticating or verifying these processes.
Our interpretation of PAOBOAU
- a piece of software that installs a “user” type account in a system, and relies on user credentials instead of SYSTEM credentials. For example:
- in Linux, software that installs a user that you can find in /etc/passwd or /etc/shadow
- on Windows, software that installs a user listed in Computer Management>System Tools>Local Users and Groups>Users, or installs a user in an Active Directory tree
- a process that requires managed credentials to access a system, such as a cloud backup agent that you install locally and that requires some sort of username/password/certificate/SSH keypair to access its cloud service “mothership”
How did we arrive at our interpretation?
How do we "limit access"?
You can limit PAOBOAU system access by managing the credentials–such as passwords, HTTPS certificate, SSH Keypairs–that they use to access your system. For example, if your cloud backup system requires you to generate an SSH keypair that the local backup agent uses to login to the cloud service, you should maintain strict control over the private key.
You should then periodically monitor for the use of the accounts associated with PAOBOAU (e.g. configure your systems to generate event logs when the processes’ accounts are used) and inspect your assets to make sure new PAOBOAU don’t get installed without authorization.
Good hunting! Contact us anytime if you’d like some help finding PAOBOAU in your environment.