Detections
Analytics
OS Credential Dumping: /etc/passwd and /etc/shadow
Description
Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Vulnerability Management | Advanced Network Scan | Linux machines | Authenticated Scan | SSH | Linux Users | Plugin ID: 95928 |
References
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Credential Access
Technique: OS Credential Dumping
Sub-Technique: /etc/passwd and /etc/shadow
Platform: Linux
Products Required: Tenable Vulnerability Management
Tenable Release Date: 2023 Q4