Detect Pluggable Authentication Modules in Microsoft Sentinel
Adversaries may modify Pluggable Authentication Modules (PAM) to access user credentials or create backdoors. PAM is a modular authentication framework used by Linux and macOS services. The primary module pam_unix.so handles authentication against /etc/passwd and /etc/shadow. Adversaries patch pam_unix.so to accept a hardcoded backdoor password for any account, or harvest plaintext credentials during authentication. Skidmap malware replaced pam_unix.so with a malicious version accepting a specific backdoor password.
MITRE ATT&CK
- Technique
- T1556 Modify Authentication Process
- Sub-technique
- T1556.003 Pluggable Authentication Modules
- Canonical reference
- https://attack.mitre.org/techniques/T1556/003/
KQL Detection Query
let PAMFilePaths = dynamic([
"/lib/security/pam_unix.so", "/lib64/security/pam_unix.so",
"/usr/lib/security/pam_unix.so", "/usr/lib64/security/pam_unix.so",
"/lib/x86_64-linux-gnu/security/pam_unix.so",
"/lib/aarch64-linux-gnu/security/pam_unix.so",
"/etc/pam.d/", "/etc/pam.conf"
]);
DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any ("/lib/security", "/lib64/security", "/usr/lib/security",
"/lib/x86_64-linux-gnu/security", "/etc/pam.d", "/etc/pam.conf")
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where InitiatingProcessFileName !in~ ("apt", "apt-get", "dpkg", "rpm", "yum", "dnf", "zypper", "pacman", "pip", "pip3")
| project Timestamp, DeviceName, FolderPath, FileName, ActionType,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountName, SHA256
| sort by Timestamp descDetects unauthorized modifications to PAM module files and configuration on Linux systems. Monitors for file creation, modification, or renaming within PAM module directories (/lib*/security/) and /etc/pam.d/ configuration files by processes other than legitimate package managers. A malicious pam_unix.so replacement would appear as a file modification event.
Data Sources
Required Tables
False Positives & Tuning
- Package manager updates (apt, yum, rpm, dnf) replacing PAM modules during OS or software upgrades
- Configuration management tools (Ansible, Chef, Puppet, Salt) deploying updated PAM configurations via authorized playbooks
- Security hardening scripts legitimately modifying /etc/pam.d/ to enforce password policies or MFA
- System administrators manually patching PAM modules after a vulnerability disclosure
Other platforms for T1556.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Check PAM Module Integrity
Expected signal: Auditd syscall events for file opens on PAM module paths. Syslog entries if auditd is configured with watches on /lib/security/. Process creation events for rpm or dpkg.
- Test 2Add Permissive PAM Configuration Entry (Non-Destructive)
Expected signal: Auditd file write events for the PAM configuration file modification. Sysmon (Linux) Event ID 11 equivalent for file creation. Process creation events for cp and echo commands.
- Test 3Monitor PAM Authentication Events for Anomalies
Expected signal: Linux syslog entries in /var/log/secure or /var/log/auth.log showing 'pam_unix(su:auth): authentication failure' for the nonexistent user. Auditd USER_AUTH events.
References (6)
- https://attack.mitre.org/techniques/T1556/003/
- https://github.com/zephrax/linux-pam-backdoor
- https://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
- https://linux.die.net/man/8/pam_unix
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
Unlock Pro Content
Get the full detection package for T1556.003 including response playbook, investigation guide, and atomic red team tests.