Esc
/etc/passwd and /etc/shadow - T1003.008
(ATT&CK® Technique)
Definition
Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1003008["/etc/passwd and /etc/shadow"] --> |accesses| EncryptedCredential["Encrypted Credential"]; class T1003008 OffensiveTechniqueNode;
class EncryptedCredential ArtifactNode; click EncryptedCredential href "/dao/artifact/d3f:EncryptedCredential";
click T1003008 href "/offensive-technique/attack/T1003.008/"; click EncryptedCredential href "/dao/artifact/d3f:EncryptedCredential"; T1003008["/etc/passwd and /etc/shadow"] --> |accesses| PasswordFile["Password File"]; class T1003008 OffensiveTechniqueNode;
class PasswordFile ArtifactNode; click PasswordFile href "/dao/artifact/d3f:PasswordFile";
click T1003008 href "/offensive-technique/attack/T1003.008/"; click PasswordFile href "/dao/artifact/d3f:PasswordFile"; DecoyFile["Decoy File"] -->
| spoofs | PasswordFile["Password File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1003008["/etc/passwd and /etc/shadow"] ;
class DecoyFile DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyUserCredential["Decoy User Credential"] -->
| spoofs | EncryptedCredential["Encrypted Credential"];
DecoyUserCredential["Decoy User Credential"] -.->
| may-deceive | T1003008["/etc/passwd and /etc/shadow"] ;
class DecoyUserCredential DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
| deletes | EncryptedCredential["Encrypted Credential"];
AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
| may-evict | T1003008["/etc/passwd and /etc/shadow"] ;
class AuthenticationCacheInvalidation DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; FileEviction["File Eviction"] -->
| deletes | PasswordFile["Password File"];
FileEviction["File Eviction"] -.->
| may-evict | T1003008["/etc/passwd and /etc/shadow"] ;
class FileEviction DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; CredentialRevocation["Credential Revocation"] -->
| deletes | EncryptedCredential["Encrypted Credential"];
CredentialRevocation["Credential Revocation"] -.->
| may-evict | T1003008["/etc/passwd and /etc/shadow"] ;
class CredentialRevocation DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click CredentialRevocation href "/technique/d3f:CredentialRevocation"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | PasswordFile["Password File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1003008["/etc/passwd and /etc/shadow"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| uses | EncryptedCredential["Encrypted Credential"];
Multi-factorAuthentication["Multi-factor Authentication"] -.->
| may-harden | T1003008["/etc/passwd and /etc/shadow"] ;
class Multi-factorAuthentication DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; CredentialRotation["Credential Rotation"] -->
| regenerates | EncryptedCredential["Encrypted Credential"];
CredentialRotation["Credential Rotation"] -.->
| may-harden | T1003008["/etc/passwd and /etc/shadow"] ;
class CredentialRotation DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click CredentialRotation href "/technique/d3f:CredentialRotation"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
| analyzes | EncryptedCredential["Encrypted Credential"];
CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
| may-detect | T1003008["/etc/passwd and /etc/shadow"] ;
class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; FileEncryption["File Encryption"] -->
| encrypts | PasswordFile["Password File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1003008["/etc/passwd and /etc/shadow"] ;
class FileEncryption DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
| restricts | PasswordFile["Password File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1003008["/etc/passwd and /etc/shadow"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreDatabase["Restore Database"] -->
| restores | PasswordFile["Password File"];
RestoreDatabase["Restore Database"] -.->
| may-restore | T1003008["/etc/passwd and /etc/shadow"] ;
class RestoreDatabase DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; RestoreFile["Restore File"] -->
| restores | PasswordFile["Password File"];
RestoreFile["Restore File"] -.->
| may-restore | T1003008["/etc/passwd and /etc/shadow"] ;
class RestoreFile DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
| isolates | EncryptedCredential["Encrypted Credential"];
CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
| may-isolate | T1003008["/etc/passwd and /etc/shadow"] ;
class CredentialTransmissionScoping DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; ReissueCredential["Reissue Credential"] -->
| restores | EncryptedCredential["Encrypted Credential"];
ReissueCredential["Reissue Credential"] -.->
| may-restore | T1003008["/etc/passwd and /etc/shadow"] ;
class ReissueCredential DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click ReissueCredential href "/technique/d3f:ReissueCredential"; FileAnalysis["File Analysis"] -->
| analyzes | PasswordFile["Password File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1003008["/etc/passwd and /etc/shadow"] ;
class FileAnalysis DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; CredentialHardening["Credential Hardening"] -->
| hardens | EncryptedCredential["Encrypted Credential"];
CredentialHardening["Credential Hardening"] -.->
| may-harden | T1003008["/etc/passwd and /etc/shadow"] ;
class CredentialHardening DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click CredentialHardening href "/technique/d3f:CredentialHardening"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | PasswordFile["Password File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1003008["/etc/passwd and /etc/shadow"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";