| ID | Name |
|---|---|
| T1003.001 | LSASS Memory |
| T1003.002 | Security Account Manager |
| T1003.003 | NTDS |
| T1003.004 | LSA Secrets |
| T1003.005 | Cached Domain Credentials |
| T1003.006 | DCSync |
| T1003.007 | Proc Filesystem |
| T1003.008 | /etc/passwd and /etc/shadow |
Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.[1]
The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:[2] # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
| ID | Name | Description |
|---|---|---|
| S0349 | LaZagne |
LaZagne can obtain credential information from /etc/shadow using the shadow.py module.[3] |
| ID | Mitigation | Description |
|---|---|---|
| M1027 | Password Policies |
Ensure that root accounts have complex, unique passwords across all systems on the network. |
| M1026 | Privileged Account Management |
Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive information. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may attempt to dump the contents of |
| DS0022 | File | File Access |
Monitor for files being accessed that may attempt to dump the contents of |