← Back to Explore
T1556.003
Pluggable Authentication Modules
Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pa...
LinuxmacOS
5
Detections
1
Sources
0
Threat Actors
BY SOURCE
5elastic
PROCEDURES (3)
Credential2 detections
Auto-extracted: 2 detections for credential
Process Creation Monitoring2 detections
Auto-extracted: 2 detections for process creation monitoring
Authentication Monitoring1 detections
Auto-extracted: 1 detections for authentication monitoring
DETECTIONS (5)
Authentication via Unusual PAM Grantor
elasticmedium
Pluggable Authentication Module (PAM) Creation in Unusual Directory
elasticlow
Pluggable Authentication Module (PAM) Source Download
elasticmedium
Pluggable Authentication Module or Configuration Creation
elasticmedium
Potential Backdoor Execution Through PAM_EXEC
elasticmedium