T1003.008 /etc/passwd and /etc/shadow Mappings

Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)

The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) <code># /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</code>

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1003.008 /etc/passwd and /etc/shadow
AC-3 Access Enforcement Protects T1003.008 /etc/passwd and /etc/shadow
AC-5 Separation of Duties Protects T1003.008 /etc/passwd and /etc/shadow
AC-6 Least Privilege Protects T1003.008 /etc/passwd and /etc/shadow
CA-7 Continuous Monitoring Protects T1003.008 /etc/passwd and /etc/shadow
CM-2 Baseline Configuration Protects T1003.008 /etc/passwd and /etc/shadow
CM-5 Access Restrictions for Change Protects T1003.008 /etc/passwd and /etc/shadow
CM-6 Configuration Settings Protects T1003.008 /etc/passwd and /etc/shadow
IA-2 Identification and Authentication (organizational Users) Protects T1003.008 /etc/passwd and /etc/shadow
IA-5 Authenticator Management Protects T1003.008 /etc/passwd and /etc/shadow
SC-28 Protection of Information at Rest Protects T1003.008 /etc/passwd and /etc/shadow
SC-39 Process Isolation Protects T1003.008 /etc/passwd and /etc/shadow
SI-3 Malicious Code Protection Protects T1003.008 /etc/passwd and /etc/shadow
SI-4 System Monitoring Protects T1003.008 /etc/passwd and /etc/shadow
CVE-2020-3240 Cisco UCS Director secondary_impact T1003.008 /etc/passwd and /etc/shadow
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow
amazon_inspector Amazon Inspector technique_scores T1003.008 /etc/passwd and /etc/shadow
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal.
References