Esc
/etc/passwd and /etc/shadow - T1003.008
(ATT&CK® Technique)
Definition
Adversaries may attempt to dump the contents of /etc/passwd
and /etc/shadow
to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd
and /etc/shadow
to store user account information including password hashes in /etc/shadow
. By default, /etc/shadow
is only readable by the root user.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1003008["/etc/passwd and /etc/shadow"] --> |accesses| EncryptedCredential["Encrypted Credential"]; class T1003008 OffensiveTechniqueNode; class EncryptedCredential ArtifactNode; click EncryptedCredential href "/dao/artifact/d3f:EncryptedCredential"; click T1003008 href "/offensive-technique/attack/T1003.008/"; click EncryptedCredential href "/dao/artifact/d3f:EncryptedCredential"; T1003008["/etc/passwd and /etc/shadow"] --> |accesses| PasswordFile["Password File"]; class T1003008 OffensiveTechniqueNode; class PasswordFile ArtifactNode; click PasswordFile href "/dao/artifact/d3f:PasswordFile"; click T1003008 href "/offensive-technique/attack/T1003.008/"; click PasswordFile href "/dao/artifact/d3f:PasswordFile"; LocalFilePermissions["Local File Permissions"] --> | restricts | PasswordFile["Password File"]; LocalFilePermissions["Local File Permissions"] -.-> | May Harden | T1003008["/etc/passwd and /etc/shadow"] ; class LocalFilePermissions DefensiveTechniqueNode; class PasswordFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEncryption["File Encryption"] --> | encrypts | PasswordFile["Password File"]; FileEncryption["File Encryption"] -.-> | May Harden | T1003008["/etc/passwd and /etc/shadow"] ; class FileEncryption DefensiveTechniqueNode; class PasswordFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; DecoyUserCredential["Decoy User Credential"] --> | spoofs | EncryptedCredential["Encrypted Credential"]; DecoyUserCredential["Decoy User Credential"] -.-> | May Deceive | T1003008["/etc/passwd and /etc/shadow"] ; class DecoyUserCredential DefensiveTechniqueNode; class EncryptedCredential ArtifactNode; click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; DecoyFile["Decoy File"] --> | spoofs | PasswordFile["Password File"]; DecoyFile["Decoy File"] -.-> | May Deceive | T1003008["/etc/passwd and /etc/shadow"] ; class DecoyFile DefensiveTechniqueNode; class PasswordFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] --> | deletes | EncryptedCredential["Encrypted Credential"]; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.-> | May Evict | T1003008["/etc/passwd and /etc/shadow"] ; class AuthenticationCacheInvalidation DefensiveTechniqueNode; class EncryptedCredential ArtifactNode; click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; CredentialRevoking["Credential Revoking"] --> | deletes | EncryptedCredential["Encrypted Credential"]; CredentialRevoking["Credential Revoking"] -.-> | May Evict | T1003008["/etc/passwd and /etc/shadow"] ; class CredentialRevoking DefensiveTechniqueNode; class EncryptedCredential ArtifactNode; click CredentialRevoking href "/technique/d3f:CredentialRevoking"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] --> | analyzes | EncryptedCredential["Encrypted Credential"]; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.-> | May Detect | T1003008["/etc/passwd and /etc/shadow"] ; class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode; class EncryptedCredential ArtifactNode; click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | PasswordFile["Password File"]; FileIntegrityMonitoring["File Integrity Monitoring"] -.-> | May Detect | T1003008["/etc/passwd and /etc/shadow"] ; class FileIntegrityMonitoring DefensiveTechniqueNode; class PasswordFile ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; CredentialTransmissionScoping["Credential Transmission Scoping"] --> | restricts | EncryptedCredential["Encrypted Credential"]; CredentialTransmissionScoping["Credential Transmission Scoping"] -.-> | May Harden | T1003008["/etc/passwd and /etc/shadow"] ; class CredentialTransmissionScoping DefensiveTechniqueNode; class EncryptedCredential ArtifactNode; click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; CredentialRotation["Credential Rotation"] --> | regenerates | EncryptedCredential["Encrypted Credential"]; CredentialRotation["Credential Rotation"] -.-> | May Harden | T1003008["/etc/passwd and /etc/shadow"] ; class CredentialRotation DefensiveTechniqueNode; class EncryptedCredential ArtifactNode; click CredentialRotation href "/technique/d3f:CredentialRotation"; ReissueCredential["Reissue Credential"] --> | restores | EncryptedCredential["Encrypted Credential"]; ReissueCredential["Reissue Credential"] -.-> | May Restore | T1003008["/etc/passwd and /etc/shadow"] ; class ReissueCredential DefensiveTechniqueNode; class EncryptedCredential ArtifactNode; click ReissueCredential href "/technique/d3f:ReissueCredential"; RestoreDatabase["Restore Database"] --> | restores | PasswordFile["Password File"]; RestoreDatabase["Restore Database"] -.-> | May Restore | T1003008["/etc/passwd and /etc/shadow"] ; class RestoreDatabase DefensiveTechniqueNode; class PasswordFile ArtifactNode; click RestoreDatabase href "/technique/d3f:RestoreDatabase"; RestoreFile["Restore File"] --> | restores | PasswordFile["Password File"]; RestoreFile["Restore File"] -.-> | May Restore | T1003008["/etc/passwd and /etc/shadow"] ; class RestoreFile DefensiveTechniqueNode; class PasswordFile ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; FileRemoval["File Removal"] --> | deletes | PasswordFile["Password File"]; FileRemoval["File Removal"] -.-> | May Evict | T1003008["/etc/passwd and /etc/shadow"] ; class FileRemoval DefensiveTechniqueNode; class PasswordFile ArtifactNode; click FileRemoval href "/technique/d3f:FileRemoval"; FileAnalysis["File Analysis"] --> | analyzes | PasswordFile["Password File"]; FileAnalysis["File Analysis"] -.-> | May Detect | T1003008["/etc/passwd and /etc/shadow"] ; class FileAnalysis DefensiveTechniqueNode; class PasswordFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis";