Skip to content

DET0454 Detect Malicious Modification of Pluggable Authentication Modules (PAM)

Item Value
ID DET0454
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1556.003 (Pluggable Authentication Modules)

Analytics

Linux

AN1250

Detects unauthorized modifications to PAM configuration files or shared object modules. Correlates file modification events under /etc/pam.d/ or /lib/security/ with unusual authentication activity such as multiple simultaneous logins, off-hours logins, or logons without corresponding physical/VPN access.

Log Sources
Data Component Name Channel
File Modification (DC0061) auditd:SYSCALL open, write
Process Creation (DC0032) auditd:SYSCALL execve
Logon Session Creation (DC0067) NSM:Connections simultaneous or anomalous logon sessions across multiple systems
Mutable Elements
Field Description
MonitoredPaths List of PAM configuration and module directories monitored (e.g., /etc/pam.d/, /lib/security/).
TimeWindow Timeframe for correlating suspicious file modifications with anomalous login events.
BaselineAccounts Expected login frequency and systems per user account; deviations may indicate compromise.

macOS

AN1251

Detects suspicious changes to macOS authorization and PAM plugin files. Correlates file modifications under /etc/pam.d/ or /Library/Security/SecurityAgentPlugins with unexpected authentication attempts or anomalous account usage.

Log Sources
Data Component Name Channel
Logon Session Creation (DC0067) macos:unifiedlog authentication plugin load or modification events
File Modification (DC0061) macos:osquery write
Mutable Elements
Field Description
WatchedPlugins Expected set of PAM and authorization plugins; unknown additions may indicate malicious insertion.
CorrelatedSources Cross-correlation with VPN/physical access logs to identify impossible or anomalous login patterns.