T1556.003: Pluggable Authentication Modules
Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.[1][2][3]
Adversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.[4]
Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.[5][1]
Analyst context for executives and security teams
PAM is a core authentication layer on Linux and macOS. If an adversary changes PAM configuration, libraries, or executables, they may be able to keep access, bypass normal authentication expectations, or collect credentials during legitimate logons. For leaders, this matters because a compromised authentication component can undermine trust in accounts, logs, and access decisions on critical Unix-based systems.
Executive priority
Treat this as an identity and resilience risk for Linux and macOS estates, especially systems where privileged access, service authentication, or administrative logons depend on PAM. Priority questions: which servers use PAM for important services, who can change PAM resources, are privileged changes logged and reviewed, and can the organization prove PAM integrity during an incident or audit? The supplied mitigations point to privileged account management and MFA, but local assurance depends on controlling and monitoring privileged modification paths.
Technical view
This is a sub-technique of Modify Authentication Process under defense-impairment, persistence, and credential-access. SOC and IR teams should validate monitoring around PAM configuration files, PAM libraries such as pam_unix.so, PAM-related executables, and related authentication stores such as /etc/passwd and /etc/shadow. ATT&CK provides no official detection text, but the related detection strategy DET0454 indicates focus on detecting malicious modification of PAM. Correlate PAM resource changes with privileged account activity and authentication events on Linux and macOS. Related software examples in ATT&CK include Ebury and Skidmap, both tied to Linux context, so Linux server coverage should be explicitly checked.
Likely telemetry
- File change or integrity events for PAM configuration files, PAM shared libraries, and PAM-related executables
- Authentication logs from Linux and macOS services that rely on PAM
- Privileged account activity, root-level command execution, and administrative change logs
- Package or binary integrity evidence for PAM components where available
- Changes involving /etc/passwd and /etc/shadow
Detection direction
- Confirm whether DET0454-style logic is implemented: detection of malicious or unexpected modification to PAM resources.
- Baseline approved PAM files and libraries, then alert on unauthorized changes, especially to pam_unix.so or PAM configuration paths.
- Correlate PAM changes with privileged account use; false positives may include legitimate OS updates, package maintenance, or approved authentication configuration changes.
- Review blind spots on unmanaged Linux/macOS hosts, systems without file integrity monitoring, and environments where root activity is not centrally logged.
- During IR, do not rely only on successful/failed login patterns; a modified authentication process may make normal authentication telemetry less trustworthy.
Mitigation priorities
- Prioritize privileged account management: restrict who can modify PAM resources, apply least privilege, and require accountability through logging and auditing.
- Use MFA for critical systems and services where PAM-backed authentication is in scope, recognizing that MFA does not by itself prove PAM file integrity.
- Maintain auditable change control for authentication configuration and PAM-related components.
- Ensure incident response playbooks include validation of PAM configuration, libraries, and related authentication files on Linux and macOS systems.
Analyst notes and limits
This take is based on ATT&CK T1556.003 version 3.0 and supplied relationships. MITRE describes PAM modification as a way to enable unwarranted access or harvest credentials; relationships identify privileged account management and MFA as mitigations and DET0454 as a relevant detection strategy.
ATT&CK does not provide official detection guidance for this object, and the supplied relationship to DET0454 does not include detection logic details. Local file paths, approved PAM modules, log sources, and update processes must be validated in the customer environment before judging coverage or risk.
Pluggable Authentication Modules
Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.[1][2][3]
Adversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.[4]
Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.[5][1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1556 | Modify Authentication Process | This object subtechnique of Modify Authentication Process. |
Groups, software, and campaigns
S0377: Ebury
Ebury is an OpenSSH backdoor and credential stealer targeting Linux servers and container hosts developed by Windigo. Ebury is primarily installed through modifying shared libraries (`.so` files) executed by the legitimate OpenSSH program. First seen in 2009, Ebury has been used to maintain a botnet of servers, deploy additional malware, and steal cryptocurrency wallets, credentials, and credit card details.[1][2][3][4]
S0468: Skidmap
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.0 | Current bundle | 8bb11886602c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Apple PAM
Apple. (2011, May 11). PAM - Pluggable Authentication Modules. Retrieved June 25, 2020.
Open source URL -
[2]
Man Pam_Unix
die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June 25, 2020.
Open source URL -
[3]
Red Hat PAM
Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES (PAM). Retrieved June 25, 2020.
Open source URL -
[4]
PAM Backdoor
zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June 25, 2020.
Open source URL -
[5]
PAM Creds
Fernández, J. M. (2018, June 27). Exfiltrating credentials via PAM backdoors & DNS requests. Retrieved November 17, 2024.
Open source URL -
[6]
mitre-attack T1556.003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.