Find sigma rule

Attack: OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow

Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.(Citation: Linux Password and Shadow File Formats)

The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db

MITRE

Tactic

credential-access

technique

T1003.008

Test : Access /etc/shadow (Local)

OS

linux

Description:

/etc/shadow file is accessed in Linux environments

Executor

bash

Sigma Rule

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test