T1003.008 IBM QRadar · QRadar

Detect /etc/passwd and /etc/shadow in IBM QRadar

Adversaries read /etc/passwd and /etc/shadow on Linux and Unix systems to extract password hashes for offline cracking. /etc/passwd contains usernames and user information (world-readable), while /etc/shadow contains the actual password hashes (root-readable only). Together they can be combined with `unshadow` and cracked with John the Ripper or Hashcat. Tools include LaZagne (shadow.py module), direct cat commands, and Python one-liners. Also includes reading from backup copies (/etc/shadow-, /etc/shadow.bak) and cloud instance metadata for default credentials. Used by multiple threat actors as a standard post-exploitation step on Linux systems.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1003 OS Credential Dumping
Sub-technique
T1003.008 /etc/passwd and /etc/shadow
Canonical reference
https://attack.mitre.org/techniques/T1003/008/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "filename" AS accessed_file,
  "process" AS process_name,
  "command" AS command_line,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category_name,
  LOGSOURCETYPENAME(logsourceid) AS log_source_type,
  CASE
    WHEN "process" ILIKE ANY ('john','hashcat','unshadow','lazagne') THEN 'CRITICAL'
    WHEN "process" ILIKE ANY ('python%','python3','perl','ruby','bash','sh','cat','cp','scp') THEN 'HIGH'
    ELSE 'MEDIUM'
  END AS risk_level
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) ILIKE ANY ('%Linux%', '%Syslog%', '%Auditd%', '%Universal CEF%')
  AND (
    (
      "filename" IN ('/etc/shadow', '/etc/shadow-', '/etc/shadow.bak', '/etc/master.passwd', '/etc/security/passwd')
      AND "process" NOT IN ('passwd', 'chpasswd', 'useradd', 'usermod', 'chage', 'login', 'newusers', 'shadow')
    )
    OR "command" ILIKE '%unshadow%'
    OR (
      "command" ILIKE '%lazagne%'
      AND ("command" ILIKE '%shadow%' OR "command" ILIKE '%linux%' OR "command" ILIKE '%all%')
    )
    OR (
      "command" ILIKE '%/etc/shadow%'
      AND "command" ILIKE '%/etc/passwd%'
    )
    OR (
      "process" ILIKE ANY ('john','hashcat')
      AND "command" ILIKE '%shadow%'
    )
    OR (
      "process" ILIKE ANY ('python%','python3','perl','ruby','cat','cp','scp','bash','sh')
      AND "command" ILIKE '%/etc/shadow%'
    )
  )
ORDER BY devicetime DESC
LAST 24 HOURS
high severity high confidence

Detects unauthorized access to /etc/shadow and related Linux credential files, and identifies execution of offline password cracking tools (unshadow, john, hashcat, lazagne). Queries QRadar events from Linux/Syslog/Auditd log sources and assigns risk tiers based on the accessing process.

Data Sources

Linux OS log source (auditd)Syslog log sourceUniversal CEF log sourceIBM QRadar DSM for Linux

Required Tables

events

False Positives & Tuning

  • Root-level backup jobs (cron or backup agents) that archive /etc/ including shadow — these will fire unless the backup process name is explicitly excluded
  • Automated compliance scanners (OpenSCAP, Nessus, Qualys) that read shadow file metadata or permissions during CIS benchmark checks
  • Container image build processes that copy /etc/shadow into a new image layer when building hardened base images
  • PAM module testing or custom authentication daemon development that opens /etc/shadow as part of integration tests in dev/staging environments
Download portable Sigma rule (.yml)

Other platforms for T1003.008

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Direct /etc/shadow Read with cat

    Expected signal: Auditd file watch event (type=SYSCALL, syscall=openat) for /etc/shadow with exe=/bin/cat. DeviceFileEvents (if MDE Linux agent) for /etc/shadow read by cat. Process creation event for cat command with /etc/shadow argument.

  2. Test 2Unshadow and Password Hash Preparation

    Expected signal: Auditd SYSCALL events for openat on both /etc/passwd and /etc/shadow with exe=/usr/bin/unshadow. File creation event for /tmp/atomic_hashes.txt. DeviceProcessEvents for unshadow execution. DeviceFileEvents for shadow and passwd access.

  3. Test 3LaZagne Linux Shadow Module

    Expected signal: DeviceNetworkEvents for GitHub download connection. DeviceProcessEvents for lazagne execution with 'linux -shadow' arguments. Auditd openat events for /etc/shadow with exe=/tmp/lazagne. DeviceFileEvents for /etc/shadow access.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1003.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1003OS Credential Dumping

Related Sub-techniques

T1003.001LSASS MemoryT1003.002Security Account ManagerT1003.003NTDST1003.004LSA SecretsT1003.005Cached Domain CredentialsT1003.006DCSyncT1003.007Proc Filesystem

Related Techniques

T1003OS Credential DumpingT1003.007Proc FilesystemT1110.002Password CrackingT1552.003Bash HistoryT1021.004SSH

Same Tactic: Credential Access

Popular Detections