T1556.003 Google Chronicle · YARA-L

Detect Pluggable Authentication Modules in Google Chronicle

Adversaries may modify Pluggable Authentication Modules (PAM) to access user credentials or create backdoors. PAM is a modular authentication framework used by Linux and macOS services. The primary module pam_unix.so handles authentication against /etc/passwd and /etc/shadow. Adversaries patch pam_unix.so to accept a hardcoded backdoor password for any account, or harvest plaintext credentials during authentication. Skidmap malware replaced pam_unix.so with a malicious version accepting a specific backdoor password.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Sub-technique
T1556.003 Pluggable Authentication Modules
Canonical reference
https://attack.mitre.org/techniques/T1556/003/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule pam_module_modification {
  meta:
    author = "Detection Engineering"
    description = "Detects unauthorized creation, modification, or renaming of PAM shared library modules and configuration files. Indicative of T1556.003 backdoor installation tactics used by Skidmap and similar malware that replace pam_unix.so to accept a hardcoded backdoor password for any account."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1556.003"
    mitre_attack_technique_name = "Pluggable Authentication Modules"
    severity = "HIGH"
    priority = "HIGH"
    version = "1.0"
    created = "2025-01-01"

  events:
    (
      $e.metadata.event_type = "FILE_MODIFICATION" or
      $e.metadata.event_type = "FILE_CREATION" or
      $e.metadata.event_type = "FILE_MOVE"
    )
    (
      re.regex($e.target.file.full_path, `/lib(64)?/security/pam_unix\.so`) or
      re.regex($e.target.file.full_path, `/usr/lib(64)?/security/pam_unix\.so`) or
      re.regex($e.target.file.full_path,
        `/lib/(x86_64|aarch64|armhf|arm64)-linux-gnu/security/pam_unix\.so`) or
      re.regex($e.target.file.full_path, `/etc/pam\.d/`) or
      $e.target.file.full_path = "/etc/pam.conf"
    )
    not re.regex($e.principal.process.file.full_path,
      `/(apt|apt-get|dpkg|rpm|yum|dnf|zypper|pacman|pip3?|ldconfig|update-alternatives)$`)

  condition:
    $e
}
critical severity high confidence

Chronicle YARA-L 2.0 detection rule using UDM file events to identify PAM authentication library modifications. Matches FILE_MODIFICATION, FILE_CREATION, and FILE_MOVE events against all known pam_unix.so library paths across x86_64 and ARM architectures, plus /etc/pam.d/ configuration directory and /etc/pam.conf. Excludes known package manager and system linker binaries via regex on the initiating process full path.

Data Sources

Google Chronicle UDM (Universal Data Model)Linux endpoint telemetry ingested via Chronicle forwarderAuditd logs normalized to Chronicle UDM by Chronicle parsers

Required Tables

UDM Events — FILE_MODIFICATION, FILE_CREATION, FILE_MOVE event types

False Positives & Tuning

  • Distribution package manager upgrades of libpam that install a new pam_unix.so — excluded when the package manager binary is the direct initiating process, but postinstall ldconfig or update-alternatives calls may match if their parent is not captured in the process chain
  • Containerized workloads building Docker images that COPY a custom PAM configuration into a Linux base image during docker build — these appear as file creation events but occur within ephemeral build namespaces and may not represent host-level compromise
  • Puppet or Chef client runs applying an initial PAM configuration baseline to a freshly provisioned host before it enters the production asset inventory — correlate $e.principal.hostname against provisioning pipeline records for the same timestamp window
Download portable Sigma rule (.yml)

Other platforms for T1556.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Check PAM Module Integrity

    Expected signal: Auditd syscall events for file opens on PAM module paths. Syslog entries if auditd is configured with watches on /lib/security/. Process creation events for rpm or dpkg.

  2. Test 2Add Permissive PAM Configuration Entry (Non-Destructive)

    Expected signal: Auditd file write events for the PAM configuration file modification. Sysmon (Linux) Event ID 11 equivalent for file creation. Process creation events for cp and echo commands.

  3. Test 3Monitor PAM Authentication Events for Anomalies

    Expected signal: Linux syslog entries in /var/log/secure or /var/log/auth.log showing 'pam_unix(su:auth): authentication failure' for the nonexistent user. Auditd USER_AUTH events.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1556.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.001Domain Controller AuthenticationT1556.002Password Filter DLLT1556.004Network Device AuthenticationT1556.005Reversible EncryptionT1556.006Multi-Factor AuthenticationT1556.007Hybrid IdentityT1556.008Network Provider DLLT1556.009Conditional Access Policies

Related Techniques

T1556Modify Authentication ProcessT1003.008/etc/passwd and /etc/shadowT1098Account ManipulationT1059.004Unix ShellT1543.002Systemd ServiceT1574.006Dynamic Linker Hijacking

Same Tactic: Credential Access

Popular Detections