Description
Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
Adversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)
Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)
Platforms
Mitigations (2)
Multi-factor AuthenticationM1032
Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.
Privileged Account ManagementM1026
Limit access to the root account and prevent users from modifying PAM components through proper privilege separation (ex SELinux, grsecurity, AppArmor, etc.) and limiting Privilege Escalation opportunities.
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S0377 | Ebury | Malware | [Ebury](https://attack.mitre.org/software/S0377) can deactivate PAM modules to tamper with the sshd configuration.(Citation: ESET Ebury Oct 2017) |
| S0468 | Skidmap | Malware | [Skidmap](https://attack.mitre.org/software/S0468) has the ability to replace the pam_unix.so file on an infected machine with its own malicious versi... |
References
- Apple. (2011, May 11). PAM - Pluggable Authentication Modules. Retrieved June 25, 2020.
- die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June 25, 2020.
- Fernández, J. M. (2018, June 27). Exfiltrating credentials via PAM backdoors & DNS requests. Retrieved November 17, 2024.
- Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES (PAM). Retrieved June 25, 2020.
- zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June 25, 2020.
Frequently Asked Questions
What is T1556.003 (Pluggable Authentication Modules)?
T1556.003 is a MITRE ATT&CK technique named 'Pluggable Authentication Modules'. It belongs to the Defense Impairment, Persistence, Credential Access tactic(s). Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries,...
How can T1556.003 be detected?
Detection of T1556.003 (Pluggable Authentication Modules) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1556.003?
There are 2 documented mitigations for T1556.003. Key mitigations include: Multi-factor Authentication, Privileged Account Management.
Which threat groups use T1556.003?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.