T1003.008 /etc/passwd and /etc/shadow Mappings

Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)

The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) <code># /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</code>

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1003.008 /etc/passwd and /etc/shadow
AC-3 Access Enforcement Protects T1003.008 /etc/passwd and /etc/shadow
AC-5 Separation of Duties Protects T1003.008 /etc/passwd and /etc/shadow
AC-6 Least Privilege Protects T1003.008 /etc/passwd and /etc/shadow
CA-7 Continuous Monitoring Protects T1003.008 /etc/passwd and /etc/shadow
CM-2 Baseline Configuration Protects T1003.008 /etc/passwd and /etc/shadow
CM-5 Access Restrictions for Change Protects T1003.008 /etc/passwd and /etc/shadow
CM-6 Configuration Settings Protects T1003.008 /etc/passwd and /etc/shadow
IA-2 Identification and Authentication (organizational Users) Protects T1003.008 /etc/passwd and /etc/shadow
IA-5 Authenticator Management Protects T1003.008 /etc/passwd and /etc/shadow
SC-28 Protection of Information at Rest Protects T1003.008 /etc/passwd and /etc/shadow
SC-39 Process Isolation Protects T1003.008 /etc/passwd and /etc/shadow
SI-3 Malicious Code Protection Protects T1003.008 /etc/passwd and /etc/shadow
SI-4 System Monitoring Protects T1003.008 /etc/passwd and /etc/shadow
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow
attribute.confidentiality.data_disclosure related-to T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow