Find sigma rule
Attack: Modify Authentication Process: Pluggable Authentication Modules
Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so
, which retrieves, sets, and verifies account authentication information in /etc/passwd
and /etc/shadow
.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
Adversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so
, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)
Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)
MITRE
Tactic
- credential-access
- defense-evasion
- persistence
technique
- T1556.003
Test : Malicious PAM module
OS
- linux
Description:
Creates a PAM module, inserts a rule to use it, and then tests it.
Upon successful execution, this test will create a PAM module that allows every user to su to root without a password.
Executor
sh