AN1613: Analytic 1613
Enumeration of users and groups through suspicious shell commands or unauthorized access to /etc/passwd or /etc/shadow.
Analyst context for executives and security teams
This analytic is about spotting Linux user and group enumeration, especially suspicious shell activity or unauthorized access to /etc/passwd and /etc/shadow. For leaders, the practical issue is identity exposure: these files and commands can reveal local accounts, privilege structure, and password-hash material, which may shape later attacker decisions. Even without a mapped tactic or detection logic from ATT&CK, this is a useful control-validation item for Linux estate visibility and incident readiness.
Executive priority
Prioritize this where Linux systems support critical applications, privileged administration, or regulated workloads. The business question is whether the organization can prove it sees abnormal account-discovery behavior on Linux hosts and can distinguish legitimate administration from suspicious enumeration. This supports SOC readiness, identity governance evidence, and incident response scoping when account exposure is suspected.
Technical view
Validate that Linux host monitoring can capture shell command activity and file access involving /etc/passwd and /etc/shadow. Because the ATT&CK object does not provide a detection query, tactic mapping, or relationship context, teams should treat AN1613 as a detection objective rather than a complete rule. Focus on whether access is authorized, which account or process performed it, whether the access occurred through an interactive shell or script, and whether it deviates from known administrative baselines.
Likely telemetry
- Linux process execution and command-line telemetry
- Shell history or terminal session logging where available
- File access auditing for /etc/passwd and /etc/shadow
- User, UID, group, and privilege context for the accessing process
- Authentication and sudo/su logs to determine whether access was authorized
Detection direction
- Confirm that telemetry exists for both suspicious shell commands and direct file access to /etc/passwd and /etc/shadow.
- Tune detections against known-good administrative activity, configuration management tools, backup processes, and identity-management agents to reduce false positives.
- Prioritize higher-severity review when /etc/shadow is accessed by unexpected users, shells, or processes, since access is more sensitive than routine reads of /etc/passwd.
- Correlate enumeration activity with recent logons, privilege changes, sudo usage, and unusual process ancestry.
- Document coverage gaps for Linux systems without command-line logging, file audit policy, or centralized log collection.
Mitigation priorities
- Establish least-privilege access controls and administrative baselines for Linux account and group data.
- Restrict and monitor access to sensitive account files, especially /etc/shadow.
- Ensure Linux audit or endpoint telemetry is enabled on systems where account enumeration would materially affect risk.
- Centralize relevant Linux logs so SOC and IR teams can investigate account-discovery activity across hosts.
- Use approved administration and configuration-management workflows so legitimate enumeration is attributable and easier to separate from suspicious behavior.
Analyst notes and limits
AN1613 is a detection analytic in the enterprise ATT&CK domain for Linux. The official description is limited to enumeration of users and groups through suspicious shell commands or unauthorized access to /etc/passwd or /etc/shadow. No official detection logic, tactic mapping, aliases, labels, or relationship context were supplied, so the value is primarily as a coverage and validation prompt for Linux identity-discovery monitoring.
This take is constrained to the supplied ATT&CK fields. It does not infer a specific technique, adversary, campaign, impact, or active exploitation. Local baselines are required to determine what counts as suspicious or unauthorized in a given Linux environment.
Analytic 1613
Enumeration of users and groups through suspicious shell commands or unauthorized access to /etc/passwd or /etc/shadow.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | db137bf5a3d5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1613Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.