Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0446: Credential Access via /etc/passwd and /etc/shadow Parsing

This detection strategy matters because it is tied to a Linux credential-access behavior: attempts to obtain account and password-hash data from /etc/passw...

EnterpriseDET0446Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because it is tied to a Linux credential-access behavior: attempts to obtain account and password-hash data from /etc/passwd and /etc/shadow for possible offline password cracking. For leaders, the practical issue is not only file access; it is whether Linux identity stores, privileged access, and SOC visibility are strong enough to show when sensitive credential material is being accessed outside normal administrative activity.

Executive priority

Prioritize this as a Linux credential-protection and incident-readiness control area. Executives and risk owners should ask whether critical Linux systems have auditable controls around privileged file access, whether SOC teams can distinguish legitimate administration from suspicious credential-store access, and whether incident responders have a playbook for possible password-hash exposure. This supports resilience, identity governance, and audit evidence for privileged-access monitoring.

Technical view

ATT&CK provides no official detection text for DET0446, but the relationship anchors the strategy to T1003.008, /etc/passwd and /etc/shadow, under Credential Access on Linux. SOC and detection teams should validate telemetry for reads, copies, permission changes, command execution, and privileged session activity involving these files, especially when performed by unusual users, processes, parent processes, or hosts. IR teams should treat confirmed suspicious access to /etc/shadow as potential credential material exposure and scope related privileged activity on the affected Linux system.

Likely telemetry

  • Linux file access audit logs for /etc/passwd and /etc/shadow
  • Process execution telemetry showing commands or tools interacting with sensitive account files
  • Privilege escalation or root/sudo session logs around the time of access
  • File permission, ownership, or integrity monitoring events for the credential files
  • Endpoint detection or host audit data that preserves process, user, timestamp, and parent-process context

Detection direction

  • Validate that Linux systems generate file-access telemetry for sensitive account files; many environments log authentication but not file reads by default.
  • Tune detections around context: root or administrative access may be legitimate, but unusual users, nonstandard processes, unexpected parent processes, or access on high-value servers should increase priority.
  • Correlate file access with privilege escalation, remote login, command execution, and subsequent authentication activity to reduce false positives.
  • Account for blind spots where endpoint agents, audit rules, or log forwarding are not deployed consistently across Linux fleets.
  • Use the relationship to T1003.008 as the analytic anchor; do not assume coverage from this detection strategy alone because MITRE did not provide official detection logic.

Mitigation priorities

  • Restrict and monitor privileged access to Linux systems, especially access capable of reading /etc/shadow.
  • Ensure file permissions and ownership for sensitive account files match secure Linux defaults and are monitored for change.
  • Deploy or validate host-level audit and endpoint telemetry on Linux systems that support business-critical workloads.
  • Maintain incident response procedures for suspected credential-store exposure, including scoping, password reset decisions, and privileged-account review.
  • Use vulnerability and configuration management to identify Linux assets where audit coverage or privileged-access controls are missing.
Analyst notes and limits

The supplied object is a detection strategy with no official description or detection content. The strongest context comes from its relationship to ATT&CK technique T1003.008, which describes adversaries dumping /etc/passwd and /etc/shadow to enable offline password cracking. Detection engineering should therefore be locally validated against Linux audit, endpoint, and authentication data rather than treated as a complete MITRE-provided analytic.

Platforms and tactics are not specified on the detection-strategy object itself; Linux and Credential Access are supported only through the related T1003.008 technique. No active exploitation, actor attribution, prevalence, or guaranteed detection coverage is stated in the supplied data.

Official MITRE ATT&CK definition

Credential Access via /etc/passwd and /etc/shadow Parsing

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1003.008 /etc/passwd and /etc/shadow Sub-technique This object detects /etc/passwd and /etc/shadow.
Relationship explorer

All related ATT&CK context

detects · Technique T1003.008: /etc/passwd and /etc/shadow Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a20a7ccfeb3f954f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a20a7ccfeb3f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0446
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use