- Tactics
- defense-impairment , Persistence , Credential Access
- Platforms
- Linux, macOS
- Reference
- attack.mitre.org/techniques/T1556.003
Description
Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
Adversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)
Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the defense-impairment, Persistence, Credential Access tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1003 — OS Credential Dumping
- T1037 — Boot or Logon Initialization Scripts
- T1040 — Network Sniffing
- T1053 — Scheduled Task/Job
- T1056 — Input Capture
- T1078 — Valid Accounts
- T1098 — Account Manipulation
- T1110 — Brute Force
- T1111 — Multi-Factor Authentication Interception
- T1112 — Modify Registry
- T1133 — External Remote Services
- T1136 — Create Account