Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0454: Detect Malicious Modification of Pluggable Authentication Modules (PAM)

This detection strategy matters because PAM changes can affect how users and services authenticate. If maliciously modified, PAM can support persistence, c...

EnterpriseDET0454Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because PAM changes can affect how users and services authenticate. If maliciously modified, PAM can support persistence, credential access, or unauthorized account access on systems where PAM is used. For leaders, the practical question is whether the organization can prove that authentication components on relevant Linux and macOS systems are monitored for unauthorized change and can be investigated quickly.

Executive priority

Prioritize this as an identity and operational resilience control area for environments that rely on PAM. Authentication-layer tampering can undermine normal account controls and complicate incident response, so executives should ask whether critical servers and administrative workstations have file integrity visibility, change approval evidence, and IR procedures for suspicious authentication module or configuration changes. Because the supplied ATT&CK object provides no official detection text, coverage should be validated locally rather than assumed.

Technical view

DET0454 detects ATT&CK technique T1556.003, Pluggable Authentication Modules, which is associated with defense impairment, persistence, and credential access on Linux and macOS. SOC and IR teams should validate monitoring around PAM-related configuration files, module libraries, and authentication-related executable changes, especially where PAM governs privileged or remote access. Detection engineering should focus on distinguishing authorized package updates or admin changes from unexpected modification, replacement, permission change, or new module introduction in PAM paths relevant to the local operating system baseline.

Likely telemetry

  • File integrity monitoring or endpoint telemetry for PAM configuration files, libraries, and related executables
  • Authentication logs and system security logs around successful, failed, or anomalous logons
  • Package management and software update logs to separate approved updates from suspicious changes
  • Privileged command execution and administrative session records
  • Change management records for approved authentication configuration updates

Detection direction

  • Build detections around unauthorized or unexpected modification of PAM-related files, using known-good baselines for each supported operating system and role.
  • Correlate PAM file changes with privileged user activity, package manager events, maintenance windows, and subsequent authentication anomalies.
  • Tune for legitimate administrative activity, operating system updates, and security tooling that may modify authentication configuration.
  • Prioritize high-value systems such as servers, identity-adjacent infrastructure, and systems used for privileged administration.
  • Validate telemetry retention and alert routing before an incident; the ATT&CK object does not provide official detection logic or platform-specific paths.

Mitigation priorities

  • Establish change control and approval requirements for PAM configuration and module changes.
  • Restrict write access to PAM-related files and directories to authorized administrators and managed processes.
  • Use file integrity monitoring or endpoint controls to alert on unexpected changes to authentication components.
  • Maintain recoverable baselines and tested rollback procedures for authentication configuration.
  • Include PAM tampering checks in Linux and macOS incident response playbooks where PAM is used.
Analyst notes and limits

The strongest relationship context is to T1556.003, whose tactics are defense impairment, persistence, and credential access, and whose related platforms are Linux and macOS. This supports treating PAM monitoring as both an identity-control and host-integrity requirement. Detection quality will depend heavily on local baselines, administrative practices, and whether endpoint telemetry covers authentication files with enough detail.

The supplied detection strategy has no official description, no official detection text, no object-level platforms, and no tactics. This take is therefore derived from the external reference and the relationship to T1556.003 only. It does not assert active exploitation, actor attribution, guaranteed detection, or universal applicability across all systems.

Official MITRE ATT&CK definition

Detect Malicious Modification of Pluggable Authentication Modules (PAM)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1556.003 Pluggable Authentication Modules Sub-technique This object detects Pluggable Authentication Modules.
Relationship explorer

All related ATT&CK context

detects · Technique T1556.003: Pluggable Authentication Modules Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
23a6bc317c44ea01...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 23a6bc317c44…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0454
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use