T1556.003 Sumo Logic CSE · Sumo

Detect Pluggable Authentication Modules in Sumo Logic CSE

Adversaries may modify Pluggable Authentication Modules (PAM) to access user credentials or create backdoors. PAM is a modular authentication framework used by Linux and macOS services. The primary module pam_unix.so handles authentication against /etc/passwd and /etc/shadow. Adversaries patch pam_unix.so to accept a hardcoded backdoor password for any account, or harvest plaintext credentials during authentication. Skidmap malware replaced pam_unix.so with a malicious version accepting a specific backdoor password.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Sub-technique
T1556.003 Pluggable Authentication Modules
Canonical reference
https://attack.mitre.org/techniques/T1556/003/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=linux/auditd OR _sourceCategory=linux/syslog
| parse regex "(?i)type=(?:PATH|SYSCALL|CREATE|MODIFY|WRITE)" nodrop
| parse regex field=_raw "name=\"(?<file_path>[^\"]+)\"" nodrop
| parse regex field=_raw "exe=\"(?<process_exe>[^\"]+)\"" nodrop
| parse regex field=_raw "comm=\"(?<process_name>[^\"]+)\"" nodrop
| parse regex field=_raw "hostname=(?<src_host>\S+)" nodrop
| parse regex field=_raw "auid=(?<auid>\d+)" nodrop
| where (
    file_path matches "/lib/security/pam_unix.so" or
    file_path matches "/lib64/security/pam_unix.so" or
    file_path matches "/usr/lib/security/pam_unix.so" or
    file_path matches "/usr/lib64/security/pam_unix.so" or
    file_path matches "/lib/x86_64-linux-gnu/security/pam_unix.so" or
    file_path matches "/lib/aarch64-linux-gnu/security/pam_unix.so" or
    file_path matches "/etc/pam.d/*" or
    file_path = "/etc/pam.conf"
  )
| where !(
    process_name in ("apt", "apt-get", "dpkg", "rpm", "yum", "dnf",
                     "zypper", "pacman", "pip", "pip3", "ldconfig")
    or process_exe matches "*/apt*"
    or process_exe matches "*/dpkg*"
    or process_exe matches "*/rpm*"
  )
| count as event_count by _sourceHost, file_path, process_name, process_exe, auid
| sort by event_count desc
high severity high confidence

Sumo Logic query parsing raw Linux auditd log records to detect PAM authentication library and configuration file modifications. Extracts file paths, process executables, and audit session IDs (auid) from auditd PATH and SYSCALL record types. Filters to target pam_unix.so across all common architecture-specific library paths and /etc/pam.d/ entries, excluding known package managers by both process name and executable path.

Data Sources

Linux Auditd (auditd daemon forwarded via syslog or Sumo Logic collector)Linux Syslog

Required Tables

_sourceCategory=linux/auditd_sourceCategory=linux/syslog

False Positives & Tuning

  • Automated configuration management systems (Ansible, SaltStack, Chef) applying a security hardening run that modifies PAM configuration files — the auid field can help distinguish human (interactive) sessions from automation (auid=4294967295 for unattended processes)
  • The pam-auth-update utility run interactively by an administrator to enable or disable PAM feature modules — this generates a burst of /etc/pam.d/ writes in rapid succession that looks anomalous in aggregate count
  • OpenSCAP or CIS-CAT remediation scripts automatically rewriting PAM configuration files to enforce DISA STIG or CIS Benchmark password complexity and lockout policies — validate against scheduled compliance scan windows
Download portable Sigma rule (.yml)

Other platforms for T1556.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Check PAM Module Integrity

    Expected signal: Auditd syscall events for file opens on PAM module paths. Syslog entries if auditd is configured with watches on /lib/security/. Process creation events for rpm or dpkg.

  2. Test 2Add Permissive PAM Configuration Entry (Non-Destructive)

    Expected signal: Auditd file write events for the PAM configuration file modification. Sysmon (Linux) Event ID 11 equivalent for file creation. Process creation events for cp and echo commands.

  3. Test 3Monitor PAM Authentication Events for Anomalies

    Expected signal: Linux syslog entries in /var/log/secure or /var/log/auth.log showing 'pam_unix(su:auth): authentication failure' for the nonexistent user. Auditd USER_AUTH events.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1556.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.001Domain Controller AuthenticationT1556.002Password Filter DLLT1556.004Network Device AuthenticationT1556.005Reversible EncryptionT1556.006Multi-Factor AuthenticationT1556.007Hybrid IdentityT1556.008Network Provider DLLT1556.009Conditional Access Policies

Related Techniques

T1556Modify Authentication ProcessT1003.008/etc/passwd and /etc/shadowT1098Account ManipulationT1059.004Unix ShellT1543.002Systemd ServiceT1574.006Dynamic Linker Hijacking

Same Tactic: Credential Access

Popular Detections