1. Home
  2. Techniques
  3. Enterprise
  4. OS Credential Dumping
  5. /etc/passwd and /etc/shadow

OS Credential Dumping: /etc/passwd and /etc/shadow

ID Name
T1003.001 LSASS Memory
T1003.002 Security Account Manager
T1003.003 NTDS
T1003.004 LSA Secrets
T1003.005 Cached Domain Credentials
T1003.006 DCSync
T1003.007 Proc Filesystem
T1003.008 /etc/passwd and /etc/shadow

Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information, including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.[1]

Linux stores user information such as user ID, group ID, home directory path, and login shell in /etc/passwd. A "user" on the system may belong to a person or a service. All password hashes are stored in /etc/shadow - including entries for users with no passwords and users with locked or disabled accounts.[1]

Adversaries may attempt to read or dump the /etc/passwd and /etc/shadow files on Linux systems via command line utilities such as the cat command.[2] Additionally, the Linux utility unshadow can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper - for example, via the command /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db[3]. Since the user information stored in /etc/passwd are linked to the password hashes in /etc/shadow, an adversary would need to have access to both.

ID: T1003.008
Sub-technique of:  T1003
Tactic: Credential Access
Platforms: Linux
Version: 1.2
Created: 11 February 2020
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
S0349 LaZagne

LaZagne can obtain credential information from /etc/shadow using the shadow.py module.[4]
C0045 ShadowRay

During ShadowRay, threat actors used cat /etc/shadow to steal password hashes.[5]

Mitigations

ID Mitigation Description
M1027 Password Policies

Ensure that root accounts have complex, unique passwords across all systems on the network.
M1026 Privileged Account Management

Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive information.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking.

Analytic 1 - Unexpected command execution involving /etc/passwd and /etc/shadow.

index=os sourcetype="linux_audit" command IN ("cat /etc/passwd", "cat /etc/shadow", "grep /etc/passwd", "grep /etc/shadow") | eval Command=command | eval TargetFile=case(match(Command, ".passwd."), "/etc/passwd", match(Command, ".shadow."), "/etc/shadow")
DS0022 File File Access

Monitor for files being accessed that may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access /etc/passwd and /etc/shadow, alerting on the pid, process name, and arguments of such programs.

Analytic 1 - Unauthorized access to /etc/passwd and /etc/shadow.

index=os sourcetype="linux_audit" file IN ("/etc/passwd", "/etc/shadow")

References

  1. The Linux Documentation Project. (n.d.). Linux Password and Shadow File Formats. Retrieved February 19, 2020.
  2. Julian Tuin, Stefan Hostetler, Jon Grimm, Aaron Diaz, and Trevor Daher. (2024, November 22). Arctic Wolf Observes Threat Campaign Targeting Palo Alto Networks Firewall Devices. Retrieved January 8, 2025.
  3. Vivek Gite. (2014, September 17). Linux Password Cracking: Explain unshadow and john Commands (John the Ripper Tool). Retrieved February 19, 2020.
  1. Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
  2. Lumelsly, A. et al. (2024, March 26). ShadowRay: First Known Attack Campaign Targeting AI Workloads Actively Exploited In The Wild. Retrieved December 2, 2024.