MITRE ATT&CK / T1556.003
T1556.003
Pluggable Authentication Modules
Description
Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)Adversaries may modify components of the PAM system to create backdoors. PAM components, such as <code>pam_unix.so</code>, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)
Platforms
Mitigations
- M1032 — Multi-factor Authentication
- M1026 — Privileged Account Management
Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.
Our coverage
- PamDOORa: New Linux Backdoor Sells for $900 on Russian Forum, Harvests SSH Credentials via PAM
- Quasar Linux (QLNX): Rootkit and PAM Backdoor Targeting Developer Credentials
Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →