Pluggable Authentication Modules

Information

• Name: Pluggable Authentication Modules

• ID: T1556.003

• Tactics: TA0006, TA0005, TA0003

• Technique: T1556

Introduction

Pluggable Authentication Modules (PAM) [T1556.003] is a sub-technique within the MITRE ATT&CK framework categorized under Credential Access. PAM provides dynamic authentication support for applications and services in Linux and Unix-based systems through a modular and configurable interface. Attackers targeting PAM aim to manipulate authentication mechanisms to gain persistent unauthorized access, escalate privileges, or harvest sensitive credentials from compromised systems.

Deep Dive Into Technique

Pluggable Authentication Modules (PAM) is a standardized authentication framework widely implemented in Linux and Unix-like operating systems. PAM allows system administrators to configure authentication policies and mechanisms through modular libraries, enabling flexible and centralized control over authentication processes.

Attackers may exploit PAM in several ways, including:

• PAM Module Injection:

  • Malicious actors may insert or replace legitimate PAM modules with malicious ones.

  • These altered modules intercept authentication processes, capturing plaintext passwords or granting unauthorized access.

  • Attackers typically modify PAM configuration files (e.g., /etc/pam.d/sshd, /etc/pam.d/system-auth) to load malicious modules.

• Configuration File Modification:

  • Attackers may directly modify PAM configuration files to weaken security policies (e.g., removing multi-factor authentication or password complexity requirements).

  • Configuration files commonly targeted include:

    • /etc/pam.d/common-auth

    • /etc/pam.d/login

    • /etc/pam.d/sshd

• Backdooring PAM Modules:

  • Legitimate PAM modules can be backdoored by modifying the source code or binaries to include hidden authentication bypasses.

  • Compromised modules can silently authenticate attackers using specific credentials, tokens, or conditions.

Real-world procedures typically involve:

• Replacing or adding malicious PAM modules that log credentials to hidden files.

• Modifying PAM configuration files to bypass authentication steps or lower security standards.

• Leveraging root-level access obtained through other vulnerabilities or techniques to install persistent PAM backdoors.

When this Technique is Usually Used

Attackers commonly utilize PAM subversion at various stages of a cyberattack lifecycle, particularly during:

• Privilege Escalation:

  • To escalate privileges by bypassing authentication mechanisms or capturing credentials of privileged users.

• Credential Harvesting:

  • To intercept and collect plaintext passwords or authentication tokens during user logins.

• Persistence:

  • To maintain long-term access on compromised systems by embedding persistent backdoors within PAM modules or configurations.

• Lateral Movement:

  • Once attackers compromise a single host, they may leverage PAM manipulation to gain credentials and subsequently move laterally across the network.

Typical scenarios include:

• Advanced Persistent Threat (APT) campaigns targeting Linux-based servers and infrastructure.

• Insider threats aiming to maintain hidden access without detection.

• Cybercriminal groups targeting cloud infrastructure, servers, or containerized environments.

How this Technique is Usually Detected

Detection of PAM manipulation involves monitoring and analyzing system integrity, file changes, and authentication logs. Common detection methods include:

• File Integrity Monitoring (FIM):

  • Monitoring critical PAM configuration files and module binaries for unauthorized modifications.

  • Tools include:

    • Tripwire

    • OSSEC

    • AIDE (Advanced Intrusion Detection Environment)

• Audit Logging and Analysis:

  • Monitoring Linux audit logs (auditd) for unusual activities related to PAM modules and configuration files.

  • Relevant audit rules include monitoring:

    • /etc/pam.d/*

    • /lib/security/ (common PAM module directory)

    • /lib64/security/

• Behavioral and Anomaly Detection:

  • Monitoring authentication logs (e.g., /var/log/auth.log, /var/log/secure) for anomalies such as unexpected successful logins, authentication bypasses, or frequent failed attempts.

  • Utilizing SIEM (Security Information and Event Management) tools for correlation:

    • Splunk

    • ELK Stack (Elasticsearch, Logstash, Kibana)

    • QRadar

• Indicators of Compromise (IoCs):

  • Unexpected or newly created PAM modules within /lib/security/ or /lib64/security/.

  • Altered PAM configuration files (/etc/pam.d/) with recent modification timestamps.

  • Suspicious log entries indicating abnormal PAM module behaviors or authentication bypasses.

  • Hidden files or directories storing captured credentials.

Why it is Important to Detect This Technique

Early detection of PAM manipulation is crucial due to its severe potential impacts on system security and organizational integrity. Possible consequences include:

• Credential Exposure and Theft:

  • Attackers can harvest sensitive user credentials, enabling further compromise of accounts, systems, or networks.

• Persistent Unauthorized Access:

  • Malicious PAM modules or configurations can provide attackers indefinite persistent access, even surviving system reboots or updates.

• Privilege Escalation:

  • Attackers may escalate privileges to root or administrative accounts, significantly increasing their ability to cause damage or maintain stealthy access.

• Data Exfiltration and Breaches:

  • Compromised authentication mechanisms facilitate unauthorized access to sensitive data, intellectual property, or personally identifiable information (PII), potentially leading to data breaches or regulatory non-compliance.

• Operational Disruption:

  • Attackers may disrupt authentication services, causing denial-of-service conditions or operational downtime.

Due to these critical impacts, proactive monitoring and detection mechanisms are essential for promptly identifying and mitigating PAM-related attacks, minimizing damage, and ensuring system integrity.

Examples

Real-world examples of PAM manipulation attacks include:

• Linux/Ebury SSH Rootkit:

  • Attackers compromised Linux servers by modifying the SSH PAM module to capture login credentials.

  • The malicious PAM module logged captured passwords to hidden files, enabling attackers to maintain persistent access and propagate to additional systems.

• Operation Windigo (ESET Research):

  • Attackers used malicious PAM modules to intercept SSH credentials on compromised Linux servers.

  • Captured credentials were used to propagate malware, perform spam campaigns, and host malicious content.

• HiddenWasp Malware:

  • Linux malware that included PAM module manipulation to maintain persistence and stealthy access.

  • Attackers modified PAM configurations to bypass authentication, allowing covert access to compromised systems.

Typical tools and methods observed in these attacks:

• Custom-built malicious PAM modules written in C/C++.

• Rootkits or malware frameworks specifically targeting Linux authentication mechanisms.

• Use of legitimate system administration tools to modify PAM configurations and evade detection.

Impact of these attacks included:

• Persistent, stealthy access to compromised Linux servers.

• Credential theft and lateral movement across compromised networks.

• Deployment of additional malware payloads and unauthorized activities, including spam campaigns, cryptocurrency mining, or data exfiltration.