T1556.003 CrowdStrike LogScale · LogScale

Detect Pluggable Authentication Modules in CrowdStrike LogScale

Adversaries may modify Pluggable Authentication Modules (PAM) to access user credentials or create backdoors. PAM is a modular authentication framework used by Linux and macOS services. The primary module pam_unix.so handles authentication against /etc/passwd and /etc/shadow. Adversaries patch pam_unix.so to accept a hardcoded backdoor password for any account, or harvest plaintext credentials during authentication. Skidmap malware replaced pam_unix.so with a malicious version accepting a specific backdoor password.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Sub-technique
T1556.003 Pluggable Authentication Modules
Canonical reference
https://attack.mitre.org/techniques/T1556/003/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = /WriteFile|PeFileWritten/
| FilePath = /\/(lib\/security|lib64\/security|usr\/lib\/security|usr\/lib64\/security|lib\/x86_64-linux-gnu\/security|lib\/aarch64-linux-gnu\/security|etc\/pam\.d|etc\/pam\.conf)/
| not ImageFileName = /\/(apt|apt-get|dpkg|rpm|yum|dnf|zypper|pacman|pip|pip3|ldconfig|update-alternatives)$/
| groupBy(
    [ComputerName, aid, UserName, FilePath, FileName, ImageFileName, CommandLine],
    function=[
      count(as=event_count),
      min(field=@timestamp, as=first_seen),
      max(field=@timestamp, as=last_seen)
    ]
  )
| sort(field=event_count, order=desc)
high severity medium confidence

CrowdStrike LogScale (Falcon) query detecting PAM library and PAM configuration file write events from non-package-manager processes on Linux endpoints. Uses WriteFile and PeFileWritten Falcon event types with regex path matching against all common pam_unix.so library directories and /etc/pam.d/. Groups results by host, user, file path, and initiating executable to surface repeated or bulk modification patterns.

Data Sources

CrowdStrike Falcon Endpoint Protection (Linux sensor)Falcon Insight XDR with file write telemetry enabled

Required Tables

#event_simpleName=WriteFile#event_simpleName=PeFileWritten

False Positives & Tuning

  • Package managers installing or upgrading libpam libraries — excluded by ImageFileName filter for direct invocations, but postinstall maintainer scripts running under sh, bash, or perl will bypass the process name check and require secondary validation against the parent process chain
  • The pam-auth-update tool invoked interactively by a system administrator to toggle PAM module features — this generates multiple rapid /etc/pam.d/ writes that appear as a burst in the grouped event_count output and should be correlated with an active admin SSH session on the same aid
  • CIS Benchmark or DISA STIG remediation automation tools (OpenSCAP, ansible-hardening role) that rewrite PAM configuration files to enforce lockout thresholds and password complexity rules — validate against scheduled compliance enforcement windows in your change management system
Download portable Sigma rule (.yml)

Other platforms for T1556.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Check PAM Module Integrity

    Expected signal: Auditd syscall events for file opens on PAM module paths. Syslog entries if auditd is configured with watches on /lib/security/. Process creation events for rpm or dpkg.

  2. Test 2Add Permissive PAM Configuration Entry (Non-Destructive)

    Expected signal: Auditd file write events for the PAM configuration file modification. Sysmon (Linux) Event ID 11 equivalent for file creation. Process creation events for cp and echo commands.

  3. Test 3Monitor PAM Authentication Events for Anomalies

    Expected signal: Linux syslog entries in /var/log/secure or /var/log/auth.log showing 'pam_unix(su:auth): authentication failure' for the nonexistent user. Auditd USER_AUTH events.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1556.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.001Domain Controller AuthenticationT1556.002Password Filter DLLT1556.004Network Device AuthenticationT1556.005Reversible EncryptionT1556.006Multi-Factor AuthenticationT1556.007Hybrid IdentityT1556.008Network Provider DLLT1556.009Conditional Access Policies

Related Techniques

T1556Modify Authentication ProcessT1003.008/etc/passwd and /etc/shadowT1098Account ManipulationT1059.004Unix ShellT1543.002Systemd ServiceT1574.006Dynamic Linker Hijacking

Same Tactic: Credential Access

Popular Detections