Esc
/etc/passwd and /etc/shadow - T1003.008
(ATT&CK® Technique)
Definition
Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1003008["/etc/passwd and /etc/shadow"] --> |accesses| EncryptedCredential["Encrypted Credential"]; class T1003008 OffensiveTechniqueNode;
class EncryptedCredential ArtifactNode; click EncryptedCredential href "../../../dao/artifact/d3f:EncryptedCredential";
click T1003008 href "../../../offensive-technique/attack/T1003.008/"; click EncryptedCredential href "../../../dao/artifact/d3f:EncryptedCredential"; T1003008["/etc/passwd and /etc/shadow"] --> |accesses| PasswordFile["Password File"]; class T1003008 OffensiveTechniqueNode;
class PasswordFile ArtifactNode; click PasswordFile href "../../../dao/artifact/d3f:PasswordFile";
click T1003008 href "../../../offensive-technique/attack/T1003.008/"; click PasswordFile href "../../../dao/artifact/d3f:PasswordFile"; DecoyFile["Decoy File"] -->
| spoofs | PasswordFile["Password File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1003008["/etc/passwd and /etc/shadow"] ;
class DecoyFile DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click DecoyFile href "../../../technique/d3f:DecoyFile"; DecoyUserCredential["Decoy User Credential"] -->
| spoofs | EncryptedCredential["Encrypted Credential"];
DecoyUserCredential["Decoy User Credential"] -.->
| may-deceive | T1003008["/etc/passwd and /etc/shadow"] ;
class DecoyUserCredential DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click DecoyUserCredential href "../../../technique/d3f:DecoyUserCredential"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | PasswordFile["Password File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1003008["/etc/passwd and /etc/shadow"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click FileIntegrityMonitoring href "../../../technique/d3f:FileIntegrityMonitoring"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
| analyzes | EncryptedCredential["Encrypted Credential"];
CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
| may-detect | T1003008["/etc/passwd and /etc/shadow"] ;
class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click CredentialCompromiseScopeAnalysis href "../../../technique/d3f:CredentialCompromiseScopeAnalysis"; FileEviction["File Eviction"] -->
| deletes | PasswordFile["Password File"];
FileEviction["File Eviction"] -.->
| may-evict | T1003008["/etc/passwd and /etc/shadow"] ;
class FileEviction DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click FileEviction href "../../../technique/d3f:FileEviction"; CredentialRevocation["Credential Revocation"] -->
| deletes | EncryptedCredential["Encrypted Credential"];
CredentialRevocation["Credential Revocation"] -.->
| may-evict | T1003008["/etc/passwd and /etc/shadow"] ;
class CredentialRevocation DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click CredentialRevocation href "../../../technique/d3f:CredentialRevocation"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
| deletes | EncryptedCredential["Encrypted Credential"];
AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
| may-evict | T1003008["/etc/passwd and /etc/shadow"] ;
class AuthenticationCacheInvalidation DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click AuthenticationCacheInvalidation href "../../../technique/d3f:AuthenticationCacheInvalidation"; FileEncryption["File Encryption"] -->
| encrypts | PasswordFile["Password File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1003008["/etc/passwd and /etc/shadow"] ;
class FileEncryption DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click FileEncryption href "../../../technique/d3f:FileEncryption"; CredentialRotation["Credential Rotation"] -->
| regenerates | EncryptedCredential["Encrypted Credential"];
CredentialRotation["Credential Rotation"] -.->
| may-harden | T1003008["/etc/passwd and /etc/shadow"] ;
class CredentialRotation DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click CredentialRotation href "../../../technique/d3f:CredentialRotation"; ContentModification["Content Modification"] -->
| modifies | PasswordFile["Password File"];
ContentModification["Content Modification"] -.->
| may-isolate | T1003008["/etc/passwd and /etc/shadow"] ;
class ContentModification DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click ContentModification href "../../../technique/d3f:ContentModification"; ContentQuarantine["Content Quarantine"] -->
| quarantines | PasswordFile["Password File"];
ContentQuarantine["Content Quarantine"] -.->
| may-isolate | T1003008["/etc/passwd and /etc/shadow"] ;
class ContentQuarantine DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click ContentQuarantine href "../../../technique/d3f:ContentQuarantine"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| uses | EncryptedCredential["Encrypted Credential"];
Multi-factorAuthentication["Multi-factor Authentication"] -.->
| may-harden | T1003008["/etc/passwd and /etc/shadow"] ;
class Multi-factorAuthentication DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click Multi-factorAuthentication href "../../../technique/d3f:Multi-factorAuthentication"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
| isolates | EncryptedCredential["Encrypted Credential"];
CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
| may-isolate | T1003008["/etc/passwd and /etc/shadow"] ;
class CredentialTransmissionScoping DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click CredentialTransmissionScoping href "../../../technique/d3f:CredentialTransmissionScoping"; LocalFilePermissions["Local File Permissions"] -->
| restricts | PasswordFile["Password File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1003008["/etc/passwd and /etc/shadow"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click LocalFilePermissions href "../../../technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
| restores | PasswordFile["Password File"];
RestoreFile["Restore File"] -.->
| may-restore | T1003008["/etc/passwd and /etc/shadow"] ;
class RestoreFile DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click RestoreFile href "../../../technique/d3f:RestoreFile"; RestoreDatabase["Restore Database"] -->
| restores | PasswordFile["Password File"];
RestoreDatabase["Restore Database"] -.->
| may-restore | T1003008["/etc/passwd and /etc/shadow"] ;
class RestoreDatabase DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click RestoreDatabase href "../../../technique/d3f:RestoreDatabase"; ReissueCredential["Reissue Credential"] -->
| restores | EncryptedCredential["Encrypted Credential"];
ReissueCredential["Reissue Credential"] -.->
| may-restore | T1003008["/etc/passwd and /etc/shadow"] ;
class ReissueCredential DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click ReissueCredential href "../../../technique/d3f:ReissueCredential"; FileAnalysis["File Analysis"] -->
| analyzes | PasswordFile["Password File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1003008["/etc/passwd and /etc/shadow"] ;
class FileAnalysis DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click FileAnalysis href "../../../technique/d3f:FileAnalysis"; CredentialHardening["Credential Hardening"] -->
| hardens | EncryptedCredential["Encrypted Credential"];
CredentialHardening["Credential Hardening"] -.->
| may-harden | T1003008["/etc/passwd and /etc/shadow"] ;
class CredentialHardening DefensiveTechniqueNode;
class EncryptedCredential ArtifactNode;
click CredentialHardening href "../../../technique/d3f:CredentialHardening"; ContentFiltering["Content Filtering"] -->
| filters | PasswordFile["Password File"];
ContentFiltering["Content Filtering"] -.->
| may-isolate | T1003008["/etc/passwd and /etc/shadow"] ;
class ContentFiltering DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click ContentFiltering href "../../../technique/d3f:ContentFiltering"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | PasswordFile["Password File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1003008["/etc/passwd and /etc/shadow"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class PasswordFile ArtifactNode;
click RemoteFileAccessMediation href "../../../technique/d3f:RemoteFileAccessMediation";