Detect Pluggable Authentication Modules in Splunk
Adversaries may modify Pluggable Authentication Modules (PAM) to access user credentials or create backdoors. PAM is a modular authentication framework used by Linux and macOS services. The primary module pam_unix.so handles authentication against /etc/passwd and /etc/shadow. Adversaries patch pam_unix.so to accept a hardcoded backdoor password for any account, or harvest plaintext credentials during authentication. Skidmap malware replaced pam_unix.so with a malicious version accepting a specific backdoor password.
MITRE ATT&CK
- Technique
- T1556 Modify Authentication Process
- Sub-technique
- T1556.003 Pluggable Authentication Modules
- Canonical reference
- https://attack.mitre.org/techniques/T1556/003/
SPL Detection Query
index=linux_secure OR index=syslog sourcetype="linux_secure"
("pam_unix" OR "pam_succeed_if" OR "pam_ldap")
("authentication failure" OR "check pass" OR "user unknown")
| eval AuthResult=case(
match(_raw, "authentication failure"), "FAILURE",
match(_raw, "Accepted password"), "SUCCESS",
match(_raw, "user unknown"), "UNKNOWN_USER",
1==1, "OTHER"
)
| stats count as Events, dc(src) as UniqueSources, values(AuthResult) as Results by user, host
| where Events > 20 AND UniqueSources > 1
| sort - Events
| append
[search index=syslog sourcetype="syslog"
("pam_unix" OR "pam_deny" OR "pam_warn")
("session opened" OR "session closed")
NOT user IN ("root", "daemon", "nobody")
| rex field=_raw "pam_unix\\((?<service>[^:]+):(?<pamtype>[^)]+)\\)"
| table _time, host, user, service, pamtype, _raw]Detects suspicious PAM authentication patterns on Linux using /var/log/secure or /var/log/auth.log. Monitors for high-frequency authentication failures (potential backdoor password testing), unknown users, and unusual PAM session patterns. The union also captures PAM configuration reads during suspicious session events.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate high-volume authentication from service accounts or automated processes
- SSH brute-force attempts generating many pam_unix authentication failures (adjust threshold per environment)
- Users with typo-prone passwords generating clusters of failures before success
- SSSD or LDAP authentication failures during domain connectivity issues
Other platforms for T1556.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Check PAM Module Integrity
Expected signal: Auditd syscall events for file opens on PAM module paths. Syslog entries if auditd is configured with watches on /lib/security/. Process creation events for rpm or dpkg.
- Test 2Add Permissive PAM Configuration Entry (Non-Destructive)
Expected signal: Auditd file write events for the PAM configuration file modification. Sysmon (Linux) Event ID 11 equivalent for file creation. Process creation events for cp and echo commands.
- Test 3Monitor PAM Authentication Events for Anomalies
Expected signal: Linux syslog entries in /var/log/secure or /var/log/auth.log showing 'pam_unix(su:auth): authentication failure' for the nonexistent user. Auditd USER_AUTH events.
References (6)
- https://attack.mitre.org/techniques/T1556/003/
- https://github.com/zephrax/linux-pam-backdoor
- https://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
- https://linux.die.net/man/8/pam_unix
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
Unlock Pro Content
Get the full detection package for T1556.003 including response playbook, investigation guide, and atomic red team tests.