ID | Name |
---|---|
T1003.001 | LSASS Memory |
T1003.002 | Security Account Manager |
T1003.003 | NTDS |
T1003.004 | LSA Secrets |
T1003.005 | Cached Domain Credentials |
T1003.006 | DCSync |
T1003.007 | Proc Filesystem |
T1003.008 | /etc/passwd and /etc/shadow |
Adversaries may attempt to dump the contents of /etc/passwd
and /etc/shadow
to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd
and /etc/shadow
to store user account information, including password hashes in /etc/shadow
. By default, /etc/shadow
is only readable by the root user.[1]
Linux stores user information such as user ID, group ID, home directory path, and login shell in /etc/passwd
. A "user" on the system may belong to a person or a service. All password hashes are stored in /etc/shadow
- including entries for users with no passwords and users with locked or disabled accounts.[1]
Adversaries may attempt to read or dump the /etc/passwd
and /etc/shadow
files on Linux systems via command line utilities such as the cat
command.[2] Additionally, the Linux utility unshadow
can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper - for example, via the command /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
[3]. Since the user information stored in /etc/passwd
are linked to the password hashes in /etc/shadow
, an adversary would need to have access to both.
ID | Name | Description |
---|---|---|
S0349 | LaZagne |
LaZagne can obtain credential information from /etc/shadow using the shadow.py module.[4] |
C0045 | ShadowRay |
During ShadowRay, threat actors used |
ID | Mitigation | Description |
---|---|---|
M1027 | Password Policies |
Ensure that root accounts have complex, unique passwords across all systems on the network. |
M1026 | Privileged Account Management |
Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive information. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may attempt to dump the contents of Analytic 1 - Unexpected command execution involving /etc/passwd and /etc/shadow.
|
DS0022 | File | File Access |
Monitor for files being accessed that may attempt to dump the contents of Analytic 1 - Unauthorized access to /etc/passwd and /etc/shadow.
|