OS Credential Dumping: /etc/passwd and /etc/shadow

Other sub-techniques of OS Credential Dumping (8)

ID	Name
T1003.001	LSASS Memory
T1003.002	Security Account Manager
T1003.003	NTDS
T1003.004	LSA Secrets
T1003.005	Cached Domain Credentials
T1003.006	DCSync
T1003.007	Proc Filesystem
T1003.008	/etc/passwd and /etc/shadow

Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.^[1]

The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:^[2] # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db

ID: T1003.008

Sub-technique of: T1003

ⓘ

Tactic: Credential Access

ⓘ

Platforms: Linux

Version: 1.1

Created: 11 February 2020

Last Modified: 25 September 2024

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
S0349	LaZagne	LaZagne can obtain credential information from /etc/shadow using the shadow.py module.^[3]

Mitigations

ID	Mitigation	Description
M1027	Password Policies	Ensure that root accounts have complex, unique passwords across all systems on the network.
M1026	Privileged Account Management	Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive information.

Detection

ID Data Source Data Component Detects

ID	Data Source	Data Component	Detects
DS0017	Command	Command Execution	Monitor executed commands and arguments that may attempt to dump the contents of `/etc/passwd` and `/etc/shadow` to enable offline password cracking. Analytic 1 - Unexpected command execution involving /etc/passwd and /etc/shadow. `index=os sourcetype="linux_audit" command IN ("cat /etc/passwd", "cat /etc/shadow", "grep /etc/passwd", "grep /etc/shadow") \| eval Command=command \| eval TargetFile=case(match(Command, ".passwd."), "/etc/passwd", match(Command, ".shadow."), "/etc/shadow")`
DS0022	File	File Access	Monitor for files being accessed that may attempt to dump the contents of `/etc/passwd` and `/etc/shadow` to enable offline password cracking. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access `/etc/passwd` and `/etc/shadow`, alerting on the pid, process name, and arguments of such programs. Analytic 1 - Unauthorized access to /etc/passwd and /etc/shadow. `index=os sourcetype="linux_audit" file IN ("/etc/passwd", "/etc/shadow")`

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking.

Analytic 1 - Unexpected command execution involving /etc/passwd and /etc/shadow.

index=os sourcetype="linux_audit" command IN ("cat /etc/passwd", "cat /etc/shadow", "grep /etc/passwd", "grep /etc/shadow") | eval Command=command | eval TargetFile=case(match(Command, ".passwd."), "/etc/passwd", match(Command, ".shadow."), "/etc/shadow")

DS0022

File

File Access

Monitor for files being accessed that may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access /etc/passwd and /etc/shadow, alerting on the pid, process name, and arguments of such programs.

Analytic 1 - Unauthorized access to /etc/passwd and /etc/shadow.

index=os sourcetype="linux_audit" file IN ("/etc/passwd", "/etc/shadow")

References

Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.