T1003.008: /etc/passwd and /etc/shadow
Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information, including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.[1]
Linux stores user information such as user ID, group ID, home directory path, and login shell in /etc/passwd. A "user" on the system may belong to a person or a service. All password hashes are stored in /etc/shadow - including entries for users with no passwords and users with locked or disabled accounts.[1]
Adversaries may attempt to read or dump the /etc/passwd and /etc/shadow files on Linux systems via command line utilities such as the cat command.[2] Additionally, the Linux utility unshadow can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper - for example, via the command /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db[3]. Since the user information stored in /etc/passwd are linked to the password hashes in /etc/shadow, an adversary would need to have access to both.
Analyst context for executives and security teams
On Linux systems, this technique matters because access to /etc/passwd and especially /etc/shadow can give an intruder the account and password-hash material needed for offline password cracking. For leaders, the business issue is not the files themselves; it is whether a compromised Linux host can become a source of reusable credentials that expand an incident across servers, applications, service accounts, and cloud-connected workloads.
Executive priority
Treat this as a credential-access control validation for Linux estates. Priority questions: which systems still allow broad read visibility into account data, who can read /etc/shadow, are root and service-account actions logged, and can the SOC distinguish legitimate administration from suspicious credential collection? This is also relevant to compliance evidence because privileged access, password policy, and audit logging are directly tied to proving control over sensitive credential material.
Technical view
This is a Linux sub-technique under OS Credential Dumping. ATT&CK describes adversaries attempting to read or dump /etc/passwd and /etc/shadow, and notes that /etc/shadow is normally readable only by root. SOC and IR teams should validate monitoring for access to these files, suspicious shell activity involving account database files, and use of password-recovery tooling such as LaZagne where applicable. Relationship context includes DET0446, Credential Access via /etc/passwd and /etc/shadow Parsing, plus mitigations M1026 Privileged Account Management and M1027 Password Policies.
Likely telemetry
- Linux process execution telemetry for shells and command-line utilities accessing /etc/passwd or /etc/shadow
- File access or audit events for reads of /etc/shadow and /etc/passwd, especially by unexpected users or processes
- Privilege escalation or root-session audit logs preceding access to /etc/shadow
- Authentication and account-management logs for privileged users and service accounts
- Endpoint detection or file integrity monitoring events involving credential-relevant system files
Detection direction
- Validate whether DET0446-style logic is implemented or mapped in the environment for parsing or access to /etc/passwd and /etc/shadow.
- Tune detections around context: legitimate backup, configuration management, identity administration, vulnerability scanning, and system maintenance may read these files.
- Prioritize alerts where /etc/shadow access occurs from non-standard processes, temporary directories, interactive shells, or shortly after privilege changes.
- Check blind spots on Linux servers, appliances, containers, AI or compute workloads, and cloud-hosted Linux instances where endpoint logging may be inconsistent.
- Correlate file access with subsequent credential-use behavior rather than relying only on a single file-read event.
Mitigation priorities
- Enforce privileged account management: restrict root access, use least privilege, monitor privileged sessions, and maintain accountability through logging and auditing.
- Harden permissions and administrative workflows so only approved privileged users and processes can access /etc/shadow.
- Apply strong password policies to reduce the value of captured hashes if files are exposed.
- Review service accounts and locked or disabled accounts because ATT&CK notes /etc/shadow can contain entries for those account types as well.
- Ensure incident response playbooks include password-hash exposure decisions, such as credential reset scope and review of lateral movement risk.
Analyst notes and limits
ATT&CK links this behavior to the broader OS Credential Dumping technique, the ShadowRay campaign relationship, and LaZagne software. Use those relationships as context for detection engineering and threat-informed validation, not as proof that the behavior is present in a specific environment.
The ATT&CK object does not provide official detection text. Local conclusions require environment-specific evidence: Linux audit configuration, endpoint visibility, privileged access model, service-account inventory, and normal administrative baselines.
/etc/passwd and /etc/shadow
Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information, including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.[1]
Linux stores user information such as user ID, group ID, home directory path, and login shell in /etc/passwd. A "user" on the system may belong to a person or a service. All password hashes are stored in /etc/shadow - including entries for users with no passwords and users with locked or disabled accounts.[1]
Adversaries may attempt to read or dump the /etc/passwd and /etc/shadow files on Linux systems via command line utilities such as the cat command.[2] Additionally, the Linux utility unshadow can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper - for example, via the command /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db[3]. Since the user information stored in /etc/passwd are linked to the password hashes in /etc/shadow, an adversary would need to have access to both.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1003 | OS Credential Dumping | This object subtechnique of OS Credential Dumping. |
Groups, software, and campaigns
S0349: LaZagne
C0045: ShadowRay
ShadowRay was a campaign that began in late 2023 targeting the education, cryptocurrency, biopharma, and other sectors through a vulnerability (CVE-2023-48022) in the Ray AI framework named ShadowRay. According to security researchers ShadowRay was the first known instance of AI workloads being activley exploited in the wild through vulnerabilities in AI infrastructure. CVE-2023-48022, which allows access to compute resources and sensitive data for exposed instances, remains unpatched and has been disputed by the vendor as they maintain that Ray is not intended for use outside of a strictly controlled network environment.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | f6d43f003ec7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Linux Password and Shadow File Formats
The Linux Documentation Project. (n.d.). Linux Password and Shadow File Formats. Retrieved February 19, 2020.
Open source URL -
[2]
Arctic Wolf
Julian Tuin, Stefan Hostetler, Jon Grimm, Aaron Diaz, and Trevor Daher. (2024, November 22). Arctic Wolf Observes Threat Campaign Targeting Palo Alto Networks Firewall Devices. Retrieved January 8, 2025.
Open source URL -
[3]
nixCraft - John the Ripper
Vivek Gite. (2014, September 17). Linux Password Cracking: Explain unshadow and john Commands (John the Ripper Tool). Retrieved February 19, 2020.
Open source URL -
[4]
mitre-attack T1003.008Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.