DET0446 Credential Access via /etc/passwd and /etc/shadow Parsing

Item	Value
ID	DET0446
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1003.008 (/etc/passwd and /etc/shadow)

Analytics

Linux

AN1234

Adversaries attempt to read sensitive files such as /etc/passwd and /etc/shadow for credential dumping. This may involve access to the files directly via command-line utilities (e.g., cat, less), creation of backup copies, or parsing through post-exploitation frameworks. Multi-event correlation includes elevated process execution, file access/read on sensitive paths, and anomalous read behaviors tied to non-root or unusual users.

Log Sources

Data Component	Name	Channel
File Access (DC0055)	auditd:SYSCALL	open, read
Process Creation (DC0032)	auditd:SYSCALL	execve

Mutable Elements

Field	Description
exe	Executable name used to access credentials (e.g., cat, cp, awk); can vary across environments
user	User context under which the access occurs; typically root, but can be non-standard in attacks
PATH	Target file paths (e.g., /etc/passwd, /etc/shadow); may vary in containerized or customized systems
TimeWindow	Time correlation threshold for chaining access and execution events