Detect /etc/passwd and /etc/shadow in Google Chronicle
Adversaries read /etc/passwd and /etc/shadow on Linux and Unix systems to extract password hashes for offline cracking. /etc/passwd contains usernames and user information (world-readable), while /etc/shadow contains the actual password hashes (root-readable only). Together they can be combined with `unshadow` and cracked with John the Ripper or Hashcat. Tools include LaZagne (shadow.py module), direct cat commands, and Python one-liners. Also includes reading from backup copies (/etc/shadow-, /etc/shadow.bak) and cloud instance metadata for default credentials. Used by multiple threat actors as a standard post-exploitation step on Linux systems.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1003 OS Credential Dumping
- Sub-technique
- T1003.008 /etc/passwd and /etc/shadow
- Canonical reference
- https://attack.mitre.org/techniques/T1003/008/
YARA-L Detection Query
rule t1003_008_shadow_file_credential_access {
meta:
author = "Argus Detection Engineering"
description = "Detects unauthorized access to /etc/shadow and related Linux credential files, and execution of password cracking utilities targeting shadow hashes (MITRE T1003.008)"
mitre_attack_tactic = "Credential Access"
mitre_attack_technique = "T1003.008"
severity = "HIGH"
confidence = "HIGH"
platform = "Linux"
version = "1.0"
events:
(
(
$e.metadata.event_type = "FILE_OPEN" or
$e.metadata.event_type = "FILE_READ" or
$e.metadata.event_type = "FILE_COPY"
) and
$e.target.file.full_path in (
"/etc/shadow",
"/etc/shadow-",
"/etc/shadow.bak",
"/etc/master.passwd",
"/etc/security/passwd"
) and
not $e.principal.process.file.full_path in (
"/usr/bin/passwd",
"/usr/sbin/chpasswd",
"/usr/sbin/useradd",
"/usr/sbin/usermod",
"/usr/sbin/chage",
"/sbin/login",
"/bin/login",
"/usr/sbin/newusers"
)
) or
(
$e.metadata.event_type = "PROCESS_LAUNCH" and
(
re.regex($e.target.process.command_line, `(?i)unshadow`) or
(
re.regex($e.target.process.command_line, `/etc/shadow`) and
re.regex($e.target.process.command_line, `/etc/passwd`)
) or
(
re.regex($e.target.process.file.full_path, `(?i)(john|hashcat)$`) and
re.regex($e.target.process.command_line, `(?i)shadow`)
) or
(
re.regex($e.target.process.file.full_path, `(?i)lazagne`) and
re.regex($e.target.process.command_line, `(?i)(shadow|linux|all)`)
) or
(
re.regex($e.target.process.file.full_path, `(?i)(python[0-9.]?|perl|ruby|cat|cp|scp|bash|sh)$`) and
re.regex($e.target.process.command_line, `/etc/shadow`)
)
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting unauthorized /etc/shadow file access and password cracking tool execution against Linux credential files. Covers direct file reads by suspicious processes, unshadow/john/hashcat/lazagne execution, and scripting language one-liners targeting shadow hashes. Uses UDM FILE_OPEN, FILE_READ, and PROCESS_LAUNCH event types.
Data Sources
Required Tables
False Positives & Tuning
- Wrapper scripts around standard account management tools (e.g., custom useradd wrappers) whose process path does not match standard binary paths and therefore are not excluded by the allowlist
- Automated patching or configuration drift detection tools (e.g., Puppet bolt, SaltStack) that use Python or Ruby to read /etc/shadow for user state reconciliation on managed nodes
- Forensic or incident response toolkits executed by legitimate analysts on compromised hosts — detection is intentional but analysts should correlate with IR ticket context
- Container entrypoint scripts that cp /etc/shadow during image layer construction for hardened base image pipelines running on Chronicle-monitored hosts
Other platforms for T1003.008
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Direct /etc/shadow Read with cat
Expected signal: Auditd file watch event (type=SYSCALL, syscall=openat) for /etc/shadow with exe=/bin/cat. DeviceFileEvents (if MDE Linux agent) for /etc/shadow read by cat. Process creation event for cat command with /etc/shadow argument.
- Test 2Unshadow and Password Hash Preparation
Expected signal: Auditd SYSCALL events for openat on both /etc/passwd and /etc/shadow with exe=/usr/bin/unshadow. File creation event for /tmp/atomic_hashes.txt. DeviceProcessEvents for unshadow execution. DeviceFileEvents for shadow and passwd access.
- Test 3LaZagne Linux Shadow Module
Expected signal: DeviceNetworkEvents for GitHub download connection. DeviceProcessEvents for lazagne execution with 'linux -shadow' arguments. Auditd openat events for /etc/shadow with exe=/tmp/lazagne. DeviceFileEvents for /etc/shadow access.
References (6)
- https://attack.mitre.org/techniques/T1003/008/
- https://github.com/AlessandroZ/LaZagne
- https://linux.die.net/man/8/unshadow
- https://www.openwall.com/john/
- https://linux-audit.com/monitoring-of-etc-shadow-using-linux-audit/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md
Unlock Pro Content
Get the full detection package for T1003.008 including response playbook, investigation guide, and atomic red team tests.