Benchmark: T1556.003 Modify Authentication Process: Pluggable Authentication Modules
Overview
Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.
Adversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.
Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/tailpipe-mod-aws-cloudtrail-log-detections
Start the Powerpipe server:
powerpipe server
Open http://localhost:9033 in your browser and select T1556.003 Modify Authentication Process: Pluggable Authentication Modules.
Run this benchmark in your terminal:
powerpipe benchmark run aws_cloudtrail_log_detections.benchmark.mitre_attack_v161_ta0006_t1556_003
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_cloudtrail_log_detections.benchmark.mitre_attack_v161_ta0006_t1556_003 --share