AN1250: Analytic 1250

Detects unauthorized modifications to PAM configuration files or shared object modules. Correlates file modification events under /etc/pam.d/ or /lib/security/ with unusual authentication activity such as multiple simultaneous logins, off-hours logins, or logons without corresponding physical/VPN access.

EnterpriseAN1250AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

AN1250 focuses on detecting unauthorized changes to Linux PAM configuration and authentication modules. For leaders, the practical issue is trust in login controls: if PAM files or shared objects are altered, authentication behavior may no longer match policy, which can affect privileged access, incident containment, and audit confidence.

Executive priority

Prioritize this analytic where Linux systems support critical business services, privileged administration, or compliance-scoped workloads. The key executive question is whether the organization can prove that authentication control files are monitored and that suspicious login patterns are investigated with enough context to distinguish legitimate administration from unauthorized access changes.

Technical view

Validate monitoring for file modification events under /etc/pam.d/ and /lib/security/ on Linux systems, then correlate those events with unusual authentication activity described by ATT&CK: multiple simultaneous logins, off-hours logins, or logons without corresponding physical or VPN access. Because no official detection logic is supplied, SOC and detection engineering teams should define local baselines for normal PAM administration, expected package updates, maintenance windows, and normal login patterns.

Likely telemetry

Linux file modification events for /etc/pam.d/
Linux file modification events for /lib/security/
Authentication and login records
Session timing and concurrency evidence
VPN access logs where available

Detection direction

Confirm that Linux endpoint or audit telemetry captures changes to PAM configuration files and shared object modules in the specified paths.
Correlate PAM-related file changes with unusual authentication activity rather than alerting only on file writes, to reduce noise from legitimate administration or software maintenance.
Tune for known authorized change windows, package updates, and approved identity/access administration.
Investigate gaps where login events cannot be correlated with VPN or physical access records, since the analytic explicitly depends on that contextual comparison.
Document environments where /lib/security/ or PAM configuration monitoring is incomplete so coverage claims are not overstated.

Mitigation priorities

Establish strict change control for Linux PAM configuration and authentication modules.
Limit administrative write access to PAM-related paths to authorized personnel and processes.
Ensure centralized collection of Linux file integrity and authentication telemetry for systems where this behavior matters.
Maintain correlation sources such as VPN, physical access, and change-management records where they are used to validate suspicious logons.
Periodically test whether PAM file changes generate reviewable security events and incident-response evidence.

Analyst notes and limits

The object is a detection analytic, not a technique description, and no ATT&CK relationship context or official detection logic was supplied. The useful defensive value is in validating whether authentication-control file changes can be observed and linked to suspicious login context on Linux systems.

This take is limited to the supplied ATT&CK fields. Tactics are not specified, relationships are absent, and the official detection field is not provided. Local baselines, asset criticality, logging configuration, and identity/access architecture are required to determine alert logic and operational priority.

Official MITRE ATT&CK definition

Analytic 1250

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 333650be4b893309...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`333650be4b89…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1250
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use