Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1234: Analytic 1234

Adversaries attempt to read sensitive files such as /etc/passwd and /etc/shadow for credential dumping. This may involve access to the files directly via command-line utilities (e.g., cat, less), creation of backup copies, or parsing through post-exploitation frameworks. Multi-event correlation includes elevated process execution, file access/read on sensitive paths, and anomalous read behaviors tied to non-root or unusual users.

EnterpriseAN1234AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because access to Linux credential-related files such as /etc/passwd and /etc/shadow can be an early sign that an intruder is trying to collect account material for later privilege escalation or lateral movement. For leaders, the value is not just whether a rule exists, but whether the organization can prove it collects the right Linux process, user, privilege, and file-access evidence to distinguish legitimate administration from suspicious credential-focused activity.

Executive priority

Prioritize this as a Linux identity and incident-readiness validation item. Security leaders should ask whether sensitive file access is monitored on critical Linux systems, whether privileged administrative activity is explainable, and whether incident responders can quickly determine which user or process attempted access. This supports operational resilience, audit evidence for access monitoring, and better prioritization of Linux logging and endpoint visibility investments.

Technical view

The supplied ATT&CK object describes a Linux-focused detection analytic for attempts to read sensitive files such as /etc/passwd and /etc/shadow using command-line utilities, backup-copy creation, or post-exploitation tooling. SOC and detection teams should validate multi-event correlation across elevated process execution, reads of sensitive paths, anomalous user context, and unusual non-root access patterns. Because no ATT&CK detection text or relationship context is supplied, teams should avoid assuming a complete detection strategy and instead test whether local telemetry can support the described correlation.

Likely telemetry

  • Linux process execution events, including command name, arguments where available, parent process, user, and privilege context
  • File access or file read telemetry for sensitive paths such as /etc/passwd and /etc/shadow
  • Privilege elevation or elevated execution events on Linux systems
  • User identity context distinguishing root, expected administrators, service accounts, and unusual or non-root users
  • File copy or backup-creation activity involving sensitive credential-related files

Detection direction

  • Validate that Linux file-read telemetry exists for the sensitive paths named in the object; process-only logging may miss direct file access patterns.
  • Correlate sensitive file access with process execution and privilege context rather than alerting on a single event in isolation.
  • Tune for expected administrative and system-management activity to reduce false positives, especially legitimate reads of /etc/passwd.
  • Treat /etc/shadow access by unusual users, unexpected processes, or newly elevated sessions as higher priority for triage.
  • Look for backup-copy or parsing behavior involving the sensitive files, not only simple command-line viewing utilities.

Mitigation priorities

  • Confirm least-privilege controls and administrative access governance for Linux systems that store or expose sensitive account files.
  • Harden permissions and access controls around sensitive credential-related files according to Linux security policy.
  • Ensure Linux endpoint, audit, or host-monitoring configuration captures process, user, privilege, and file-access evidence needed for investigation.
  • Create an incident response procedure for suspicious access to /etc/passwd or /etc/shadow, including user validation, process lineage review, and scope checks across similar hosts.
  • Use this analytic as a compliance-readiness check: verify that monitoring evidence can show who accessed sensitive authentication-related files and under what privilege context.
Analyst notes and limits

The object is a detection analytic, not a full ATT&CK technique record. It is limited to Linux and describes correlation logic around sensitive file reads, elevated execution, and anomalous users. No tactics, related techniques, groups, software, mitigations, or official detection implementation are supplied, so local environment testing is required before operationalizing it.

Official detection content is not provided, and no relationship context is supplied. This take cannot infer active exploitation, actor attribution, business impact, or existing detection coverage. The usefulness of the analytic depends on whether the organization collects Linux process, file-access, privilege, and identity telemetry at sufficient fidelity.

Official MITRE ATT&CK definition

Analytic 1234

Adversaries attempt to read sensitive files such as /etc/passwd and /etc/shadow for credential dumping. This may involve access to the files directly via command-line utilities (e.g., cat, less), creation of backup copies, or parsing through post-exploitation frameworks. Multi-event correlation includes elevated process execution, file access/read on sensitive paths, and anomalous read behaviors tied to non-root or unusual users.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
10195e58cb114875...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 10195e58cb11…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1234
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use