title: Pluggable Authentication Modules (T1556.003)
id: df00tech-t1556-003
status: experimental
description: "Adversaries may modify Pluggable Authentication Modules (PAM) to access user credentials or create backdoors. PAM is a modular authentication framework used by Linux and macOS services. The primary module pam_unix.so handles authentication against /etc/passwd and /etc/shadow. Adversaries patch pam_unix.so to accept a hardcoded backdoor password for any account, or harvest plaintext credentials during authentication. Skidmap malware replaced pam_unix.so with a malicious version accepting a specific backdoor password."
references:
  - https://attack.mitre.org/techniques/T1556/003/
  - https://df00tech.com/detections/T1556.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1556.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Package manager updates (apt, yum, rpm, dnf) replacing PAM modules during OS or software upgrades"
  - "Configuration management tools (Ansible, Chef, Puppet, Salt) deploying updated PAM configurations via authorized playbooks"
  - Security hardening scripts legitimately modifying /etc/pam.d/ to enforce password policies or MFA
  - System administrators manually patching PAM modules after a vulnerability disclosure
level: critical