Modify Authentication Process: Pluggable Authentication Modules

Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.[1][2][3]

Adversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.[4]

Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.[5][1]

ID: T1556.003
Sub-technique of:  T1556
Platforms: Linux, macOS
Contributors: George Allen, VMware Carbon Black; Scott Knight, @sdotknight, VMware Carbon Black
Version: 2.1
Created: 26 June 2020
Last Modified: 21 August 2024

Procedure Examples

ID Name Description
S0377 Ebury

Ebury can deactivate PAM modules to tamper with the sshd configuration.[6]

S0468 Skidmap

Skidmap has the ability to replace the pam_unix.so file on an infected machine with its own malicious version that accepts a specific backdoor password for all users.[7]

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication

Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.

M1026 Privileged Account Management

Limit access to the root account and prevent users from modifying PAM components through proper privilege separation (ex SELinux, grsecurity, AppArmor, etc.) and limiting Privilege Escalation opportunities.

Detection

ID Data Source Data Component Detects
DS0022 File File Modification

Monitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.

Analytic 1 - Unauthorized changes to PAM configuration and module paths.

index=os sourcetype="linux_audit" OR sourcetype="auditd" (type="MODIFY" OR type="CREATE" OR type="DELETE") (file="/etc/pam.d/" OR file="/usr/lib/security/" OR file="/lib/security/*")

DS0028 Logon Session Logon Session Creation

Monitor for newly constructed logon behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

Analytic 1 - Unusual logon patterns and times.

index=linux_logs OR index=macos_logs(source="/var/log/secure" OR source="/var/log/auth.log" OR source="/var/log/system.log")("session opened" OR "session closed")| eval is_normal_hours=if(hour(_time) >= 8 AND hour(_time) <= 18, 1, 0)| search NOT [search index=linux_logs OR index=macos_logs (source="/etc/pam.d/*" OR source="/etc/passwd" OR source="/etc/shadow") action=modified | fields user]

References