Home
ATT&CK Techniques
T1556.003 Pluggable Authentication Modules

T1556.003 Pluggable Authentication Modules

Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)

Adversaries may modify components of the PAM system to create backdoors. PAM components, such as <code>pam_unix.so</code>, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)

Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
AC-2	Account Management	Protects	T1556.003	Pluggable Authentication Modules
AC-20	Use of External Systems	Protects	T1556.003	Pluggable Authentication Modules
AC-3	Access Enforcement	Protects	T1556.003	Pluggable Authentication Modules
AC-5	Separation of Duties	Protects	T1556.003	Pluggable Authentication Modules
AC-6	Least Privilege	Protects	T1556.003	Pluggable Authentication Modules
AC-7	Unsuccessful Logon Attempts	Protects	T1556.003	Pluggable Authentication Modules
CM-5	Access Restrictions for Change	Protects	T1556.003	Pluggable Authentication Modules
CM-6	Configuration Settings	Protects	T1556.003	Pluggable Authentication Modules
IA-2	Identification and Authentication (organizational Users)	Protects	T1556.003	Pluggable Authentication Modules
IA-5	Authenticator Management	Protects	T1556.003	Pluggable Authentication Modules
SI-4	System Monitoring	Protects	T1556.003	Pluggable Authentication Modules
SI-7	Software, Firmware, and Information Integrity	Protects	T1556.003	Pluggable Authentication Modules

Azure Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
azure_security_center_recommendations	Azure Security Center Recommendations	technique_scores	T1556.003	Pluggable Authentication Modules	Comments This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing this sub-technique which often modifies Pluggable Authentication Modules (PAM) components in the file system. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal. References
file_integrity_monitoring	File Integrity Monitoring	technique_scores	T1556.003	Pluggable Authentication Modules	Comments The PAM configuration and module paths (/etc/pam.d/) can be monitored for changes using this control. The files in this path should not change often and therefore false positives should be minimal. This control at worst scans for changes on an hourly basis. References