T1556.003

Pluggable Authentication Modules

Credential Access Defense Evasion Persistence

Adversaries may modify Pluggable Authentication Modules (PAM) to access user credentials or create backdoors. PAM is a modular authentication framework used by Linux and macOS services. The primary module pam_unix.so handles authentication against /etc/passwd and /etc/shadow. Adversaries patch pam_unix.so to accept a hardcoded backdoor password for any account, or harvest plaintext credentials during authentication. Skidmap malware replaced pam_unix.so with a malicious version accepting a specific backdoor password.

Microsoft Sentinel / Defender
kusto 
let PAMFilePaths = dynamic([
  "/lib/security/pam_unix.so", "/lib64/security/pam_unix.so",
  "/usr/lib/security/pam_unix.so", "/usr/lib64/security/pam_unix.so",
  "/lib/x86_64-linux-gnu/security/pam_unix.so",
  "/lib/aarch64-linux-gnu/security/pam_unix.so",
  "/etc/pam.d/", "/etc/pam.conf"
]);
DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any ("/lib/security", "/lib64/security", "/usr/lib/security",
                             "/lib/x86_64-linux-gnu/security", "/etc/pam.d", "/etc/pam.conf")
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where InitiatingProcessFileName !in~ ("apt", "apt-get", "dpkg", "rpm", "yum", "dnf", "zypper", "pacman", "pip", "pip3")
| project Timestamp, DeviceName, FolderPath, FileName, ActionType,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessAccountName, SHA256
| sort by Timestamp desc
critical severity high confidence

Data Sources

File: File Modification File: File Creation Microsoft Defender for Endpoint (Linux)

Required Tables

DeviceFileEvents

False Positives

  • Package manager updates (apt, yum, rpm, dnf) replacing PAM modules during OS or software upgrades
  • Configuration management tools (Ansible, Chef, Puppet, Salt) deploying updated PAM configurations via authorized playbooks
  • Security hardening scripts legitimately modifying /etc/pam.d/ to enforce password policies or MFA
  • System administrators manually patching PAM modules after a vulnerability disclosure
Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1556.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.001Domain Controller AuthenticationT1556.002Password Filter DLLT1556.004Network Device AuthenticationT1556.005Reversible EncryptionT1556.006Multi-Factor AuthenticationT1556.007Hybrid IdentityT1556.008Network Provider DLLT1556.009Conditional Access Policies

Same Tactic: Credential Access

Popular Detections