The “P” in PAM is for Persistence: Linux Persistence Technique
Summary
This article introduces a Linux persistence technique that leverages Pluggable Authentication Modules (PAM). It describes how this method can be used by penetration testers for privilege escalation, lateral movement, and establishing persistence on compromised Linux systems.
IFF Assessment
FOE
This article describes a technique that can be used by attackers to maintain access and escalate privileges on Linux systems, posing a threat to defenders.
Defender Context
Defenders should be aware of PAM's role in authentication and authorization to detect and prevent unauthorized persistence mechanisms. Monitoring PAM configuration changes and unusual authentication flows can help identify such attacks.