EXPLORE

← Back to Explore

T1003.008

/etc/passwd and /etc/shadow

Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information, including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats) Linux stores user information such as...

Linux

13

Detections

2

Sources

0

Threat Actors

BY SOURCE

10elastic3splunk_escu

PROCEDURES (11)

Lateral2 detections

Auto-extracted: 2 detections for lateral

Dump2 detections

Auto-extracted: 2 detections for dump

Credential1 detections

Auto-extracted: 1 detections for credential

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Lateral1 detections

Auto-extracted: 1 detections for lateral

Persist1 detections

Auto-extracted: 1 detections for persist

Inject1 detections

Auto-extracted: 1 detections for inject

Inject1 detections

Auto-extracted: 1 detections for inject

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Inject1 detections

Auto-extracted: 1 detections for inject

DETECTIONS (13)

Dumping Account Hashes via Built-In Commands

ESXi Sensitive Files Accessed

Linux Auditd Possible Access To Credential Files

Linux Possible Access To Credential Files

Potential Linux Credential Dumping via Unshadow

Potential Privilege Escalation via Linux DAC permissions

Potential Shadow File Read via Command Line Utilities

Potential Suspicious File Edit

Potential Unauthorized Access via Wildcard Injection Detected

Suspicious Execution from Foomatic-rip or Cupsd Parent

Suspicious Execution via Windows Subsystem for Linux

Suspicious Symbolic Link Created

Web Server Potential Command Injection Request