Find sigma rule
Attack: OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow
Adversaries may attempt to dump the contents of /etc/passwd
and /etc/shadow
to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd
and /etc/shadow
to store user account information including password hashes in /etc/shadow
. By default, /etc/shadow
is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
MITRE
Tactic
- credential-access
technique
- T1003.008
Test : Access /etc/{shadow,passwd,master.passwd} with a standard bin that’s not cat
OS
- linux
Description:
Dump /etc/passwd, /etc/master.passwd and /etc/shadow using ed
Executor
sh