T1003.008 /etc/passwd and /etc/shadow Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let ShadowFileAccess = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath in~ ("/etc/shadow", "/etc/shadow-", "/etc/shadow.bak",
                        "/etc/master.passwd", "/etc/security/passwd")
| where InitiatingProcessFileName !in~ ("passwd", "chpasswd", "useradd", "usermod",
                                         "chage", "pam_unix.so", "shadow", "login")
| project Timestamp, DeviceName, AccountName, FolderPath, ActionType,
          InitiatingProcessFileName, InitiatingProcessCommandLine;
let UnshadowCommand = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has "unshadow"
    or (ProcessCommandLine has "/etc/shadow" and ProcessCommandLine has "/etc/passwd")
    or ProcessCommandLine has_any ("john", "hashcat") and ProcessCommandLine has "shadow"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
let LaZagneShadow = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has "lazagne"
    and ProcessCommandLine has_any ("shadow", "linux", "all")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
union ShadowFileAccess, UnshadowCommand, LaZagneShadow
| sort by Timestamp desc

critical severity high confidence

Data Sources

File: File Access Process: Process Creation Command: Command Execution

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

System package managers (apt, yum, dnf) modifying /etc/shadow during user account package installations
Configuration management tools (Ansible, Puppet, Chef) managing user accounts and updating /etc/shadow
Legitimate password change operations by passwd, chpasswd, or chage tools — these access /etc/shadow by design
Backup software with root access reading /etc/shadow as part of full system configuration backup
Security scanning tools (Lynis, OpenSCAP) performing compliance checks that read /etc/shadow metadata

Splunk

spl

index=linux_logs
  (sourcetype="linux_auditd" OR sourcetype="auditd")
  (syscall=open OR syscall=openat OR syscall=read)
  (name="/etc/shadow" OR name="/etc/shadow-" OR name="/etc/master.passwd"
   OR name="/etc/security/passwd")
  NOT (exe="/usr/bin/passwd" OR exe="/usr/sbin/chpasswd" OR exe="/usr/sbin/useradd"
       OR exe="/usr/sbin/usermod" OR exe="/usr/sbin/chage" OR exe="/sbin/login")
| eval risk=case(
    match(exe, "python|perl|ruby|bash|sh|cat|cp|scp"), "HIGH",
    match(exe, "john|hashcat|unshadow|lazagne"), "CRITICAL",
    1==1, "MEDIUM"
  )
| table _time, host, exe, uid, pid, name, risk
| sort - _time
| union
  [search index=linux_logs (sourcetype="linux_secure" OR sourcetype="syslog")
   ("unshadow" OR "lazagne" OR "john" OR "hashcat")
   ("shadow" OR "passwd")
  | table _time, host, process, message
  | sort - _time]

critical severity high confidence

Data Sources

Linux: Auditd Syscall Events File: File Access Process: Process Creation

Required Sourcetypes

linux_auditd auditd linux_secure syslog

False Positives

System authentication stack (PAM, login, su, sudo) accessing /etc/shadow during legitimate user authentication
useradd, usermod, chage, and chpasswd accessing /etc/shadow during account management operations
Automated provisioning tools (cloud-init, Ansible) writing /etc/shadow during initial system configuration
Backup agents with root access reading /etc/shadow as part of system state capture
Security auditing tools performing authorized password policy compliance checks

Elastic Security (EQL)

eql

any where
  (
    event.category == "file" and
    event.type in ("access", "creation", "change") and
    file.path in ("/etc/shadow", "/etc/shadow-", "/etc/shadow.bak", "/etc/master.passwd", "/etc/security/passwd") and
    not process.name in ("passwd", "chpasswd", "useradd", "usermod", "chage", "pam_unix.so", "shadow", "login", "chsh", "chfn", "newusers")
  ) or
  (
    event.category == "process" and
    event.type == "start" and
    (
      process.name in ("unshadow", "lazagne") or
      (process.name in ("john", "hashcat") and process.command_line : "*shadow*") or
      (process.command_line : "*/etc/shadow*" and process.command_line : "*/etc/passwd*") or
      (process.name in ("python", "python3", "perl", "ruby") and process.command_line : "*/etc/shadow*") or
      (process.name in ("cat", "cp", "scp", "dd") and process.args : "/etc/shadow*")
    )
  )

high severity high confidence

Data Sources

Elastic Agent (endpoint) Auditbeat (auditd module) Elastic Endpoint Security

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-* auditbeat-*

False Positives

Legitimate system account management tools (useradd, usermod, chpasswd) accessing shadow — excluded by process name filter but edge-case wrappers may trigger
Security auditing tools such as Lynis, AIDE, or Tripwire that validate shadow file integrity and permissions as part of scheduled compliance scans
Configuration management agents (Ansible, Puppet, Chef) executing user provisioning playbooks that read or modify /etc/shadow as root on managed nodes
Backup agents (Bacula, Amanda, rsync run as root) that include /etc/ in full system backups and open shadow files for archival

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "filename" AS accessed_file,
  "process" AS process_name,
  "command" AS command_line,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category_name,
  LOGSOURCETYPENAME(logsourceid) AS log_source_type,
  CASE
    WHEN "process" ILIKE ANY ('john','hashcat','unshadow','lazagne') THEN 'CRITICAL'
    WHEN "process" ILIKE ANY ('python%','python3','perl','ruby','bash','sh','cat','cp','scp') THEN 'HIGH'
    ELSE 'MEDIUM'
  END AS risk_level
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) ILIKE ANY ('%Linux%', '%Syslog%', '%Auditd%', '%Universal CEF%')
  AND (
    (
      "filename" IN ('/etc/shadow', '/etc/shadow-', '/etc/shadow.bak', '/etc/master.passwd', '/etc/security/passwd')
      AND "process" NOT IN ('passwd', 'chpasswd', 'useradd', 'usermod', 'chage', 'login', 'newusers', 'shadow')
    )
    OR "command" ILIKE '%unshadow%'
    OR (
      "command" ILIKE '%lazagne%'
      AND ("command" ILIKE '%shadow%' OR "command" ILIKE '%linux%' OR "command" ILIKE '%all%')
    )
    OR (
      "command" ILIKE '%/etc/shadow%'
      AND "command" ILIKE '%/etc/passwd%'
    )
    OR (
      "process" ILIKE ANY ('john','hashcat')
      AND "command" ILIKE '%shadow%'
    )
    OR (
      "process" ILIKE ANY ('python%','python3','perl','ruby','cat','cp','scp','bash','sh')
      AND "command" ILIKE '%/etc/shadow%'
    )
  )
ORDER BY devicetime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

Linux OS log source (auditd) Syslog log source Universal CEF log source IBM QRadar DSM for Linux

Required Tables

events

False Positives

Root-level backup jobs (cron or backup agents) that archive /etc/ including shadow — these will fire unless the backup process name is explicitly excluded
Automated compliance scanners (OpenSCAP, Nessus, Qualys) that read shadow file metadata or permissions during CIS benchmark checks
Container image build processes that copy /etc/shadow into a new image layer when building hardened base images
PAM module testing or custom authentication daemon development that opens /etc/shadow as part of integration tests in dev/staging environments

Sumo Logic CSE

sql

(_sourceCategory=linux* OR _sourceCategory=*auditd* OR _sourceCategory=*syslog*)
| where (
    (
      (%"file.path" in ("/etc/shadow", "/etc/shadow-", "/etc/shadow.bak", "/etc/master.passwd", "/etc/security/passwd")
       OR ("name" in ("/etc/shadow", "/etc/shadow-", "/etc/shadow.bak", "/etc/master.passwd", "/etc/security/passwd")))
      AND !(%"process.name" in ("passwd", "chpasswd", "useradd", "usermod", "chage", "login", "newusers", "shadow"))
    )
    OR matches(%"process.command_line", "(?i)unshadow")
    OR (
      matches(%"process.command_line", "(?i)lazagne")
      AND matches(%"process.command_line", "(?i)(shadow|linux|all)")
    )
    OR (
      matches(%"process.command_line", "/etc/shadow")
      AND matches(%"process.command_line", "/etc/passwd")
    )
    OR (
      %"process.name" in ("john", "hashcat")
      AND matches(%"process.command_line", "(?i)shadow")
    )
    OR (
      %"process.name" in ("cat", "cp", "scp", "python", "python3", "perl", "ruby", "bash", "sh")
      AND matches(%"process.command_line", "/etc/shadow")
    )
  )
| if (matches(%"process.name", "(?i)(john|hashcat|unshadow|lazagne)"), "CRITICAL",
    if (matches(%"process.name", "(?i)(python|perl|ruby|bash|sh|cat|cp|scp)"), "HIGH", "MEDIUM")) as risk_level
| fields _messageTime, _sourceHost, %"user.name", %"process.pid", %"process.name", %"process.command_line", %"file.path", risk_level
| sort by _messageTime desc

high severity high confidence

Data Sources

Linux auditd (via Sumo Logic installed collector) Syslog (Linux secure/auth log) Sumo Logic Cloud SIEM Enterprise normalized events

Required Tables

_sourceCategory=linux* _sourceCategory=*auditd* _sourceCategory=*syslog*

False Positives

Sumo Logic collector itself or its installed scripts running health checks that traverse /etc/ and trigger file open events against shadow
Legitimate privileged user (root) directly reading /etc/shadow with cat or python during account management scripting — requires contextual review of surrounding session activity
Security information and event management (SIEM) forwarder agents that perform log integrity checks on /etc/shadow to detect tampering
LDAP/NIS migration scripts that read /etc/shadow to migrate local accounts to a directory service during infrastructure consolidation

Google Chronicle / SecOps

yaral

rule t1003_008_shadow_file_credential_access {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects unauthorized access to /etc/shadow and related Linux credential files, and execution of password cracking utilities targeting shadow hashes (MITRE T1003.008)"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1003.008"
    severity = "HIGH"
    confidence = "HIGH"
    platform = "Linux"
    version = "1.0"

  events:
    (
      (
        $e.metadata.event_type = "FILE_OPEN" or
        $e.metadata.event_type = "FILE_READ" or
        $e.metadata.event_type = "FILE_COPY"
      ) and
      $e.target.file.full_path in (
        "/etc/shadow",
        "/etc/shadow-",
        "/etc/shadow.bak",
        "/etc/master.passwd",
        "/etc/security/passwd"
      ) and
      not $e.principal.process.file.full_path in (
        "/usr/bin/passwd",
        "/usr/sbin/chpasswd",
        "/usr/sbin/useradd",
        "/usr/sbin/usermod",
        "/usr/sbin/chage",
        "/sbin/login",
        "/bin/login",
        "/usr/sbin/newusers"
      )
    ) or
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        re.regex($e.target.process.command_line, `(?i)unshadow`) or
        (
          re.regex($e.target.process.command_line, `/etc/shadow`) and
          re.regex($e.target.process.command_line, `/etc/passwd`)
        ) or
        (
          re.regex($e.target.process.file.full_path, `(?i)(john|hashcat)$`) and
          re.regex($e.target.process.command_line, `(?i)shadow`)
        ) or
        (
          re.regex($e.target.process.file.full_path, `(?i)lazagne`) and
          re.regex($e.target.process.command_line, `(?i)(shadow|linux|all)`)
        ) or
        (
          re.regex($e.target.process.file.full_path, `(?i)(python[0-9.]?|perl|ruby|cat|cp|scp|bash|sh)$`) and
          re.regex($e.target.process.command_line, `/etc/shadow`)
        )
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM (Unified Data Model) Linux auditd forwarded via Chronicle forwarder Endpoint telemetry via Chronicle ingestion API Google Chronicle SIEM Linux parsers

Required Tables

UDM events (FILE_OPEN, FILE_READ, FILE_COPY, PROCESS_LAUNCH)

False Positives

Wrapper scripts around standard account management tools (e.g., custom useradd wrappers) whose process path does not match standard binary paths and therefore are not excluded by the allowlist
Automated patching or configuration drift detection tools (e.g., Puppet bolt, SaltStack) that use Python or Ruby to read /etc/shadow for user state reconciliation on managed nodes
Forensic or incident response toolkits executed by legitimate analysts on compromised hosts — detection is intentional but analysts should correlate with IR ticket context
Container entrypoint scripts that cp /etc/shadow during image layer construction for hardened base image pipelines running on Chronicle-monitored hosts

CrowdStrike LogScale (CQL)

cql

// Shadow file access and credential cracking tool detection — T1003.008
#repo=base_sensor
(
  (
    #event_simpleName = "ProcessRollup2"
    | CommandLine = /\/etc\/(shadow|shadow-|shadow\.bak|master\.passwd|security\/passwd)/
    | ImageFileName != /\/(usr\/)?(s?bin|sbin)\/(passwd|chpasswd|useradd|usermod|chage|login|newusers)$/
  )
  or
  (
    #event_simpleName = "ProcessRollup2"
    | CommandLine = /unshadow|lazagne.*(shadow|linux|all)|(john|hashcat).*shadow/i
  )
  or
  (
    #event_simpleName = "ProcessRollup2"
    | CommandLine = /\/etc\/shadow/ AND CommandLine = /\/etc\/passwd/
  )
)
| case {
    CommandLine = /unshadow|lazagne|john|hashcat/i | risk_level := "CRITICAL" ;
    CommandLine = /python[0-9.]?|perl|ruby/ AND CommandLine = /\/etc\/shadow/ | risk_level := "HIGH" ;
    * | risk_level := "MEDIUM"
  }
| groupBy(
    [ComputerName, UserName, FileName, CommandLine, risk_level],
    function=[
      count(aid, as=event_count),
      min(@timestamp, as=first_seen),
      max(@timestamp, as=last_seen)
    ]
  )
| sort(last_seen, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (Linux sensor) CrowdStrike Falcon LogScale (Humio) base_sensor repository Falcon ProcessRollup2 events

Required Tables

#repo=base_sensor (ProcessRollup2 events)

False Positives

Legitimate privileged automation using Python or shell scripts to manage Linux users in CI/CD pipelines — Falcon agents on build servers may generate high-volume hits requiring suppression by ComputerName tag
CrowdStrike RTR (Real Time Response) sessions where analysts run cat /etc/shadow for live forensic triage — these appear as ProcessRollup2 events with Falcon's own RTR process ancestry and can be distinguished by ParentImageFileName
Custom PAM modules compiled with debug logging that fork child processes reading /etc/shadow during authentication testing in QA environments
Docker or Podman container build steps on monitored Linux hosts where Dockerfile RUN layers copy or transform /etc/shadow for hardened base image construction

/etc/passwd and /etc/shadow

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections