Skip to content

T1556.003 Pluggable Authentication Modules

Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.123

Adversaries may modify components of the PAM system to create backdoors. PAM components, such as, can be patched to accept arbitrary adversary supplied values as legitimate credentials.4

Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.51

Item Value
ID T1556.003
Sub-techniques T1556.001, T1556.002, T1556.003, T1556.004, T1556.005, T1556.006, T1556.007, T1556.008
Tactics TA0006, TA0005, TA0003
Platforms Linux, macOS
Permissions required root
Version 2.0
Created 26 June 2020
Last Modified 17 October 2021

Procedure Examples

ID Name Description
S0377 Ebury Ebury can deactivate PAM modules to tamper with the sshd configuration.7
S0468 Skidmap Skidmap has the ability to replace the file on an infected machine with its own malicious version that accepts a specific backdoor password for all users.6


ID Mitigation Description
M1032 Multi-factor Authentication Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.
M1026 Privileged Account Management Limit access to the root account and prevent users from modifying PAM components through proper privilege separation (ex SELinux, grsecurity, AppArmor, etc.) and limiting Privilege Escalation opportunities.


ID Data Source Data Component
DS0022 File File Modification
DS0028 Logon Session Logon Session Creation