T1556.003 Pluggable Authentication Modules Mappings

Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)

Adversaries may modify components of the PAM system to create backdoors. PAM components, such as <code>pam_unix.so</code>, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)

Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1556.003 Pluggable Authentication Modules
AC-20 Use of External Systems Protects T1556.003 Pluggable Authentication Modules
AC-3 Access Enforcement Protects T1556.003 Pluggable Authentication Modules
AC-5 Separation of Duties Protects T1556.003 Pluggable Authentication Modules
AC-6 Least Privilege Protects T1556.003 Pluggable Authentication Modules
AC-7 Unsuccessful Logon Attempts Protects T1556.003 Pluggable Authentication Modules
CM-5 Access Restrictions for Change Protects T1556.003 Pluggable Authentication Modules
CM-6 Configuration Settings Protects T1556.003 Pluggable Authentication Modules
IA-2 Identification and Authentication (organizational Users) Protects T1556.003 Pluggable Authentication Modules
IA-5 Authenticator Management Protects T1556.003 Pluggable Authentication Modules
SI-4 System Monitoring Protects T1556.003 Pluggable Authentication Modules
SI-7 Software, Firmware, and Information Integrity Protects T1556.003 Pluggable Authentication Modules
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1556.003 Modify Authentication Process: Pluggable Authentication Modules
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1556.003 Modify Authentication Process: Pluggable Authentication Modules