| ID | Name |
|---|---|
| T1003.001 | LSASS Memory |
| T1003.002 | Security Account Manager |
| T1003.003 | NTDS |
| T1003.004 | LSA Secrets |
| T1003.005 | Cached Domain Credentials |
| T1003.006 | DCSync |
| T1003.007 | Proc Filesystem |
| T1003.008 | /etc/passwd and /etc/shadow |
Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.[1]
The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:[2] # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
| ID | Name | Description |
|---|---|---|
| S0349 | LaZagne |
LaZagne can obtain credential information from /etc/shadow using the shadow.py module.[3] |
| ID | Mitigation | Description |
|---|---|---|
| M1027 | Password Policies |
Ensure that root accounts have complex, unique passwords across all systems on the network. |
| M1026 | Privileged Account Management |
Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive information. |
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Access |
The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access /etc/passwd and /etc/shadow, alerting on the pid, process name, and arguments of such programs.