1. Home
  2. Techniques
  3. Enterprise
  4. Modify Authentication Process
  5. Pluggable Authentication Modules

Modify Authentication Process: Pluggable Authentication Modules

ID Name
T1556.001 Domain Controller Authentication
T1556.002 Password Filter DLL
T1556.003 Pluggable Authentication Modules
T1556.004 Network Device Authentication
T1556.005 Reversible Encryption
T1556.006 Multi-Factor Authentication
T1556.007 Hybrid Identity
T1556.008 Network Provider DLL
T1556.009 Conditional Access Policies

Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.[1][2][3]

Adversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.[4]

Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.[5][1]

ID: T1556.003
Sub-technique of:  T1556
Platforms: Linux, macOS
Contributors: George Allen, VMware Carbon Black; Scott Knight, @sdotknight, VMware Carbon Black
Version: 2.1
Created: 26 June 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0377 Ebury

Ebury can deactivate PAM modules to tamper with the sshd configuration.[6]
S0468 Skidmap

Skidmap has the ability to replace the pam_unix.so file on an infected machine with its own malicious version that accepts a specific backdoor password for all users.[7]

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication

Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.
M1026 Privileged Account Management

Limit access to the root account and prevent users from modifying PAM components through proper privilege separation (ex SELinux, grsecurity, AppArmor, etc.) and limiting Privilege Escalation opportunities.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0454 Detect Malicious Modification of Pluggable Authentication Modules (PAM) AN1250

Detects unauthorized modifications to PAM configuration files or shared object modules. Correlates file modification events under /etc/pam.d/ or /lib/security/ with unusual authentication activity such as multiple simultaneous logins, off-hours logins, or logons without corresponding physical/VPN access.
AN1251

Detects suspicious changes to macOS authorization and PAM plugin files. Correlates file modifications under /etc/pam.d/ or /Library/Security/SecurityAgentPlugins with unexpected authentication attempts or anomalous account usage.

References

  1. Apple. (2011, May 11). PAM - Pluggable Authentication Modules. Retrieved June 25, 2020.
  2. die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June 25, 2020.
  3. Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES (PAM). Retrieved June 25, 2020.
  4. zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June 25, 2020.
  1. Fernández, J. M. (2018, June 27). Exfiltrating credentials via PAM backdoors & DNS requests. Retrieved November 17, 2024.
  2. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
  3. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.