Esc
Pluggable Authentication Modules - T1556.003
(ATT&CK® Technique)
Definition
Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1556003["Pluggable Authentication Modules"] --> |may-modify| OperatingSystemConfigurationFile["Operating System Configuration File"]; class T1556003 OffensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile";
click T1556003 href "/offensive-technique/attack/T1556.003/"; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile"; T1556003["Pluggable Authentication Modules"] --> |may-modify| OperatingSystemSharedLibraryFile["Operating System Shared Library File"]; class T1556003 OffensiveTechniqueNode;
class OperatingSystemSharedLibraryFile ArtifactNode; click OperatingSystemSharedLibraryFile href "/dao/artifact/d3f:OperatingSystemSharedLibraryFile";
click T1556003 href "/offensive-technique/attack/T1556.003/"; click OperatingSystemSharedLibraryFile href "/dao/artifact/d3f:OperatingSystemSharedLibraryFile"; T1556003["Pluggable Authentication Modules"] --> |modifies| AuthenticationService["Authentication Service"]; class T1556003 OffensiveTechniqueNode;
class AuthenticationService ArtifactNode; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService";
click T1556003 href "/offensive-technique/attack/T1556.003/"; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService"; DecoyFile["Decoy File"] -->
| spoofs | OperatingSystemConfigurationFile["Operating System Configuration File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1556003["Pluggable Authentication Modules"] ;
class DecoyFile DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | OperatingSystemSharedLibraryFile["Operating System Shared Library File"];
class DecoyFile DefensiveTechniqueNode;
class OperatingSystemSharedLibraryFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | OperatingSystemSharedLibraryFile["Operating System Shared Library File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1556003["Pluggable Authentication Modules"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class OperatingSystemSharedLibraryFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEncryption["File Encryption"] -->
| encrypts | OperatingSystemConfigurationFile["Operating System Configuration File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1556003["Pluggable Authentication Modules"] ;
class FileEncryption DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | OperatingSystemSharedLibraryFile["Operating System Shared Library File"];
class FileEncryption DefensiveTechniqueNode;
class OperatingSystemSharedLibraryFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEviction["File Eviction"] -->
| deletes | OperatingSystemConfigurationFile["Operating System Configuration File"];
FileEviction["File Eviction"] -.->
| may-evict | T1556003["Pluggable Authentication Modules"] ;
class FileEviction DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | OperatingSystemSharedLibraryFile["Operating System Shared Library File"];
class FileEviction DefensiveTechniqueNode;
class OperatingSystemSharedLibraryFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; ProcessTermination["Process Termination"] -->
| terminates | AuthenticationService["Authentication Service"];
ProcessTermination["Process Termination"] -.->
| may-evict | T1556003["Pluggable Authentication Modules"] ;
class ProcessTermination DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination"; ProcessSuspension["Process Suspension"] -->
| suspends | AuthenticationService["Authentication Service"];
ProcessSuspension["Process Suspension"] -.->
| may-evict | T1556003["Pluggable Authentication Modules"] ;
class ProcessSuspension DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension"; HostShutdown["Host Shutdown"] -->
| terminates | AuthenticationService["Authentication Service"];
HostShutdown["Host Shutdown"] -.->
| may-evict | T1556003["Pluggable Authentication Modules"] ;
class HostShutdown DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click HostShutdown href "/technique/d3f:HostShutdown"; LocalFilePermissions["Local File Permissions"] -->
| restricts | OperatingSystemConfigurationFile["Operating System Configuration File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1556003["Pluggable Authentication Modules"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | OperatingSystemSharedLibraryFile["Operating System Shared Library File"];
class LocalFilePermissions DefensiveTechniqueNode;
class OperatingSystemSharedLibraryFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
| restores | OperatingSystemConfigurationFile["Operating System Configuration File"];
RestoreFile["Restore File"] -.->
| may-restore | T1556003["Pluggable Authentication Modules"] ;
class RestoreFile DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | OperatingSystemSharedLibraryFile["Operating System Shared Library File"];
class RestoreFile DefensiveTechniqueNode;
class OperatingSystemSharedLibraryFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; SystemFileAnalysis["System File Analysis"] -->
| analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];
SystemFileAnalysis["System File Analysis"] -.->
| may-detect | T1556003["Pluggable Authentication Modules"] ;
class SystemFileAnalysis DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis"; SystemFileAnalysis["System File Analysis"] -->
| analyzes | OperatingSystemSharedLibraryFile["Operating System Shared Library File"];
class SystemFileAnalysis DefensiveTechniqueNode;
class OperatingSystemSharedLibraryFile ArtifactNode;
click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis"; SystemCallFiltering["System Call Filtering"] -->
| isolates | AuthenticationService["Authentication Service"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1556003["Pluggable Authentication Modules"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1556003["Pluggable Authentication Modules"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.->
| may-isolate | T1556003["Pluggable Authentication Modules"] ;
class Kernel-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Application-basedProcessIsolation["Application-based Process Isolation"] -.->
| may-isolate | T1556003["Pluggable Authentication Modules"] ;
class Application-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
| may-detect | T1556003["Pluggable Authentication Modules"] ;
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1556003["Pluggable Authentication Modules"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | OperatingSystemSharedLibraryFile["Operating System Shared Library File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1556003["Pluggable Authentication Modules"] ;
class FileAnalysis DefensiveTechniqueNode;
class OperatingSystemSharedLibraryFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];
class FileAnalysis DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | OperatingSystemConfigurationFile["Operating System Configuration File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1556003["Pluggable Authentication Modules"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | OperatingSystemSharedLibraryFile["Operating System Shared Library File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class OperatingSystemSharedLibraryFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; WebSessionAccessMediation["Web Session Access Mediation"] -->
| isolates | AuthenticationService["Authentication Service"];
WebSessionAccessMediation["Web Session Access Mediation"] -.->
| may-isolate | T1556003["Pluggable Authentication Modules"] ;
class WebSessionAccessMediation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click WebSessionAccessMediation href "/technique/d3f:WebSessionAccessMediation"; HostReboot["Host Reboot"] -->
| terminates | AuthenticationService["Authentication Service"];
HostReboot["Host Reboot"] -.->
| may-evict | T1556003["Pluggable Authentication Modules"] ;
class HostReboot DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click HostReboot href "/technique/d3f:HostReboot"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessLineageAnalysis["Process Lineage Analysis"] -.->
| may-detect | T1556003["Pluggable Authentication Modules"] ;
class ProcessLineageAnalysis DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis";