T1556.003 IBM QRadar · QRadar

Detect Pluggable Authentication Modules in IBM QRadar

Adversaries may modify Pluggable Authentication Modules (PAM) to access user credentials or create backdoors. PAM is a modular authentication framework used by Linux and macOS services. The primary module pam_unix.so handles authentication against /etc/passwd and /etc/shadow. Adversaries patch pam_unix.so to accept a hardcoded backdoor password for any account, or harvest plaintext credentials during authentication. Skidmap malware replaced pam_unix.so with a malicious version accepting a specific backdoor password.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Sub-technique
T1556.003 Pluggable Authentication Modules
Canonical reference
https://attack.mitre.org/techniques/T1556/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  LOGSOURCETYPENAME(devicetype) AS log_source_type,
  CATEGORYNAME(category) AS event_category,
  QIDNAME(qid) AS event_name,
  username,
  sourceip,
  "Process Name" AS process_name,
  "File Path" AS file_path,
  "File Name" AS file_name,
  "Command" AS command_line
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (11, 105, 352)
  AND (
    "File Path" ILIKE '/lib/security%'
    OR "File Path" ILIKE '/lib64/security%'
    OR "File Path" ILIKE '/usr/lib/security%'
    OR "File Path" ILIKE '/usr/lib64/security%'
    OR "File Path" ILIKE '/lib/x86_64-linux-gnu/security%'
    OR "File Path" ILIKE '/lib/aarch64-linux-gnu/security%'
    OR "File Path" ILIKE '/etc/pam.d/%'
    OR "File Path" = '/etc/pam.conf'
  )
  AND CATEGORYNAME(category) ILIKE '%file%'
  AND (
    "Process Name" IS NULL
    OR "Process Name" NOT IN (
      'apt', 'apt-get', 'dpkg', 'rpm', 'yum', 'dnf',
      'zypper', 'pacman', 'pip', 'pip3', 'ldconfig'
    )
  )
  AND devicetime > NOW() - 86400000
ORDER BY devicetime DESC
LIMIT 500
high severity medium confidence

QRadar AQL query detecting PAM library and configuration file write activity on Linux systems via auditd and syslog log sources (LOGSOURCETYPEID 11=Linux OS, 105=Linux Auditd, 352=Universal CEF). Targets pam_unix.so paths and /etc/pam.d/ modifications by non-package-manager processes. Requires custom event properties 'File Path', 'File Name', 'Process Name', and 'Command' to be mapped in the QRadar DSM for auditd.

Data Sources

Linux Auditd DSM (LOGSOURCETYPEID 105)Linux OS Syslog DSM (LOGSOURCETYPEID 11)Universal CEF DSM (LOGSOURCETYPEID 352) for endpoint agents

Required Tables

events

False Positives & Tuning

  • OS package manager operations installing or upgrading libpam packages — the process filter handles direct invocations but postinstall maintainer scripts may run under interpreter names such as sh or bash, bypassing the process name exclusion
  • SSSD or realmd joining a Linux host to an Active Directory domain, which writes /etc/pam.d/system-auth and /etc/pam.d/password-auth to enable Kerberos and SSSD modules — these are expected during domain enrollment windows
  • Cloud-init or vendor provisioning agents (AWS SSM Agent, Azure VM extension) that configure PAM during first-boot to enforce organization-wide authentication policies before the host is registered in asset inventory
Download portable Sigma rule (.yml)

Other platforms for T1556.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Check PAM Module Integrity

    Expected signal: Auditd syscall events for file opens on PAM module paths. Syslog entries if auditd is configured with watches on /lib/security/. Process creation events for rpm or dpkg.

  2. Test 2Add Permissive PAM Configuration Entry (Non-Destructive)

    Expected signal: Auditd file write events for the PAM configuration file modification. Sysmon (Linux) Event ID 11 equivalent for file creation. Process creation events for cp and echo commands.

  3. Test 3Monitor PAM Authentication Events for Anomalies

    Expected signal: Linux syslog entries in /var/log/secure or /var/log/auth.log showing 'pam_unix(su:auth): authentication failure' for the nonexistent user. Auditd USER_AUTH events.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1556.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.001Domain Controller AuthenticationT1556.002Password Filter DLLT1556.004Network Device AuthenticationT1556.005Reversible EncryptionT1556.006Multi-Factor AuthenticationT1556.007Hybrid IdentityT1556.008Network Provider DLLT1556.009Conditional Access Policies

Related Techniques

T1556Modify Authentication ProcessT1003.008/etc/passwd and /etc/shadowT1098Account ManipulationT1059.004Unix ShellT1543.002Systemd ServiceT1574.006Dynamic Linker Hijacking

Same Tactic: Credential Access

Popular Detections