AN0288: Analytic 0288

Detects modification of PAM configuration files, unauthorized new PAM modules, and suspicious process execution accessing PAM-related binaries. Correlates file modification events in /etc/pam.d/ with process execution of unauthorized binaries.

EnterpriseAN0288AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because Linux PAM controls authentication behavior. Unauthorized changes to PAM configuration or modules can weaken login controls or alter how access is granted, so security leaders should treat PAM monitoring as part of identity assurance and incident readiness for Linux systems.

Executive priority

Prioritize this where Linux systems support critical business services, privileged administration, or compliance-relevant access controls. The decision value is confirming whether the organization can produce evidence of PAM configuration integrity, investigate suspicious authentication-control changes quickly, and distinguish approved administration from unauthorized modification.

Technical view

For SOC, detection engineering, and IR teams, validate monitoring for file modification events under /etc/pam.d/, the appearance of new or unauthorized PAM modules, and process execution that accesses PAM-related binaries. Because no tactic mapping or full detection logic is supplied, teams should build local baselines of expected administrative tools, approved change windows, and authorized PAM module locations before alerting aggressively.

Likely telemetry

Linux file modification events for /etc/pam.d/
Evidence of newly created or modified PAM module files
Linux process execution telemetry involving PAM-related binaries
User, host, timestamp, parent process, and command-line context for correlated file and process activity
Change-management or administrative approval records for PAM configuration updates

Detection direction

Correlate PAM configuration file changes with the process and user responsible for the change.
Tune for unauthorized binaries or unexpected processes accessing PAM-related components rather than relying only on path-based file monitoring.
Compare observed PAM modules and configuration changes against an approved baseline.
Account for legitimate system administration, package updates, and scheduled maintenance to reduce false positives.
Validate collection coverage on Linux hosts; this analytic has no supplied relationship context or official detection query, so local telemetry quality determines usefulness.

Mitigation priorities

Maintain an approved baseline for PAM configuration files and modules.
Restrict and review privileged access capable of modifying PAM configuration.
Use change control for PAM-related modifications on Linux systems supporting important services.
Ensure incident response playbooks include validation of authentication configuration integrity when suspicious PAM changes are observed.
Retain sufficient Linux file and process telemetry to support investigation and compliance evidence.

Analyst notes and limits

This take is based on ATT&CK analytic AN0288 for Linux. The supplied object describes detection of PAM configuration modification, unauthorized new PAM modules, and suspicious process execution accessing PAM-related binaries, with correlation between /etc/pam.d/ file modification events and unauthorized process execution. No tactics, relationships, aliases, or official detection query were supplied.

The object provides a high-level analytic description only. It does not include a specific detection rule, tactic mapping, affected software, adversary relationships, or mitigation text. Coverage and priority must therefore be validated against the organization’s Linux estate, PAM usage, logging depth, and approved administrative workflows.

Official MITRE ATT&CK definition

Analytic 0288

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: f0aaf421bc702bd6...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`f0aaf421bc70…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0288
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use