Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
Adversaries may modify components of the PAM system to create backdoors. PAM components, such as <code>pam_unix.so</code>, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)
Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1556.003 | Pluggable Authentication Modules |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1556.003 | Pluggable Authentication Modules |
Comments
This diagnostic statement protects against Pluggable Authentication Modules through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1556.003 | Pluggable Authentication Modules |
Comments
This diagnostic statement protects against Pluggable Authentication Modules through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1556.003 | Pluggable Authentication Modules |
Comments
This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in PAM modules and its authentication process, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify the PAM processes.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1556.003 | Pluggable Authentication Modules |
Comments
This diagnostic statement protects against Pluggable Authentication Modules through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.integrity.variety.Modify configuration | Modified configuration or services | related-to | T1556.003 | Pluggable Authentication Modules | |
| attribute.integrity.variety.Modify privileges | Modified privileges or permissions | related-to | T1556.003 | Pluggable Authentication Modules |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1556.003 | Pluggable Authentication Modules |
Comments
The PAM configuration and module paths (/etc/pam.d/) can be monitored for changes using this control. The files in this path should not change often and therefore false positives should be minimal. This control at worst scans for changes on an hourly basis.
References
|
| ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | technique_scores | T1556.003 | Pluggable Authentication Modules |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing this sub-technique which often modifies Pluggable Authentication Modules (PAM) components in the file system. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| advanced_protection_program | Advanced Protection Program | technique_scores | T1556.003 | Pluggable Authentication Modules |
Comments
Advanced Protection Program enables the use of a security key for multi-factor authentication. Integrating multi-factor authentication as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.
References
|