Home/ MITRE Matrix/ Defense Evasion/ T1556.003

T1556.003Pluggable Authentication Modules

T1556.003 — Pluggable Authentication Modules is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 4 detection use cases covering it and 2 threat-intel articles citing it.

Defense EvasionPersistenceCredential Access

View on the matrix → Filter Detection Library MITRE official spec ↗

4Use cases

2Articles

0Sub-techniques

3Tactics

↑ Parent technique: T1556 · Modify Authentication Process

Use cases covering this technique (4)

[LLM] Velvet Ant PAM Module Replacement (pam_unix.so backdoor) Bespoke install · alerting DSΣPDDCS [LLM] Unauthorized write to Linux PAM authentication module (pam_unix.so swap) Bespoke install · alerting DSΣPDDCS [LLM] sshd writing to non-standard files (credential-capture log artifact) Bespoke actions · hunting DSPDDCS [LLM] First-seen pam_unix.so / sshd / ssh binary hash in Linux fleet Bespoke install · hunting DSPDDCS

Articles citing this technique (2)

crit Chinese hackers hijack auth flow, spy on isolated network for a decade art-07

crit China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade art-22