[T1003.008 ] OS Credential Dumping: /etc/passwd and /etc/shadow – Adversaries target the /etc/passwd and /etc/shadow files to obtain user account metadata and password hashes for offline cracking, often combining them with tools like unshadow and John the Ripper. Monitor and restrict access to these files, enable auditing, and watch command execution and file access logs to detect and respond to dumping attempts. #OSCredentialDumping #LinuxSecurity
Keypoints
- /etc/passwd holds user metadata; it is world-readable and links accounts to hashes in /etc/shadow.
- /etc/shadow contains password hashes and is readable only by root by default.
- Adversaries use simple commands (cat) or utilities (unshadow) to prepare hashes for cracking.
- Auditd can log access attempts to both files and record process, pid, and arguments.
- Defensive controls: least-privilege, monitoring of command execution, file integrity checks, and rapid alerting.
Description:
- Like a thief copying the index of a safe and the safe’s lock pattern, adversaries gather account listings from /etc/passwd and the corresponding password hashes from /etc/shadow to later try every possible key offline.
- Attackers read or dump /etc/passwd and /etc/shadow (often via commands like cat or tools like unshadow) to obtain username-to-hash mappings for offline cracking with tools such as John the Ripper, enabling credential discovery and lateral movement if successful.
Detection:
- Enable Auditd rules to watch reads of /etc/passwd and /etc/shadow (e.g., auditctl -w /etc/shadow -p r -k shadow-read) and alert on matching audit events.
- Monitor process execution logs for programs reading those files (cat, cp, sed, awk, unshadow, perl, python) and alert on suspicious command-line arguments that reference /etc/passwd or /etc/shadow.
- Correlate file access events with unexpected user contexts (non-root users accessing shadow via sudo or exploited processes) to reduce false positives.
- Use OS-level file integrity monitoring (AIDE, Tripwire) to detect unexpected copies created in /tmp or other writable directories (look for files like /tmp/crack.password.db).
- Collect and inspect sudo logs, shell history, and process ancestry to identify misuse of privileged commands or escalation paths used to access shadow data.
- Watch for tooling commonly used in cracking workflows (presence of john, hashcat, or unshadow binaries, and spawned high-CPU jobs) and alert when they appear on production hosts.
- Establish baseline behavior for administrative access and alert on deviations (off-hours root read of shadow, mass copying of user files); validate alerts with context to reduce noise and tune rules accordingly.
Tactics:
Credential Access
Platforms:
Linux
Data Sources:
Command: Command Execution, File: File Access
Relationship Citations:
(Citation: GitHub LaZagne Dec 2018),(Citation: Oligo ShadowRay Campaign MAR 2024),