Detect Pluggable Authentication Modules in Elastic Security
Adversaries may modify Pluggable Authentication Modules (PAM) to access user credentials or create backdoors. PAM is a modular authentication framework used by Linux and macOS services. The primary module pam_unix.so handles authentication against /etc/passwd and /etc/shadow. Adversaries patch pam_unix.so to accept a hardcoded backdoor password for any account, or harvest plaintext credentials during authentication. Skidmap malware replaced pam_unix.so with a malicious version accepting a specific backdoor password.
MITRE ATT&CK
- Technique
- T1556 Modify Authentication Process
- Sub-technique
- T1556.003 Pluggable Authentication Modules
- Canonical reference
- https://attack.mitre.org/techniques/T1556/003/
Elastic Detection Query
file where event.type in ("creation", "change", "rename") and
(
file.path : (
"/lib/security/pam_unix.so",
"/lib64/security/pam_unix.so",
"/usr/lib/security/pam_unix.so",
"/usr/lib64/security/pam_unix.so",
"/lib/x86_64-linux-gnu/security/pam_unix.so",
"/lib/aarch64-linux-gnu/security/pam_unix.so"
) or
file.path : "/etc/pam.d/*" or
file.path : "/etc/pam.conf"
) and
not process.name in (
"apt", "apt-get", "dpkg", "rpm", "yum", "dnf",
"zypper", "pacman", "pip", "pip3", "make",
"install", "ldconfig", "update-alternatives"
)Detects unauthorized creation, modification, or renaming of PAM authentication shared libraries and configuration files using Elastic ECS file events. Targets pam_unix.so across all common Linux library paths and /etc/pam.d/ configuration files, excluding known package manager and system linker processes that perform legitimate PAM updates.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate OS package updates deploying a new version of libpam — the process.name exclusion filter covers direct package manager invocations but may miss postinstall scripts spawned as child processes with names like ldconfig or update-alternatives
- Configuration management tools such as Ansible, Puppet, or Chef applying a security hardening baseline that writes new /etc/pam.d/ entries for MFA (e.g., pam_google_authenticator) or password complexity policy enforcement
- Security administrators manually editing /etc/pam.d/sshd or /etc/pam.d/sudo to enable TOTP or hardware key (FIDO2/YubiKey) authentication — correlate with change management tickets and admin session logs
Other platforms for T1556.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Check PAM Module Integrity
Expected signal: Auditd syscall events for file opens on PAM module paths. Syslog entries if auditd is configured with watches on /lib/security/. Process creation events for rpm or dpkg.
- Test 2Add Permissive PAM Configuration Entry (Non-Destructive)
Expected signal: Auditd file write events for the PAM configuration file modification. Sysmon (Linux) Event ID 11 equivalent for file creation. Process creation events for cp and echo commands.
- Test 3Monitor PAM Authentication Events for Anomalies
Expected signal: Linux syslog entries in /var/log/secure or /var/log/auth.log showing 'pam_unix(su:auth): authentication failure' for the nonexistent user. Auditd USER_AUTH events.
References (6)
- https://attack.mitre.org/techniques/T1556/003/
- https://github.com/zephrax/linux-pam-backdoor
- https://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
- https://linux.die.net/man/8/pam_unix
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
Unlock Pro Content
Get the full detection package for T1556.003 including response playbook, investigation guide, and atomic red team tests.