title: /etc/passwd and /etc/shadow (T1003.008)
id: df00tech-t1003-008
status: experimental
description: "Adversaries read /etc/passwd and /etc/shadow on Linux and Unix systems to extract password hashes for offline cracking. /etc/passwd contains usernames and user information (world-readable), while /etc/shadow contains the actual password hashes (root-readable only). Together they can be combined with `unshadow` and cracked with John the Ripper or Hashcat. Tools include LaZagne (shadow.py module), direct cat commands, and Python one-liners. Also includes reading from backup copies (/etc/shadow-, /etc/shadow.bak) and cloud instance metadata for default credentials. Used by multiple threat actors as a standard post-exploitation step on Linux systems."
references:
  - https://attack.mitre.org/techniques/T1003/008/
  - https://df00tech.com/detections/T1003.008
author: df00tech
date: 2026/04/13
tags:
  - attack.t1003.008
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "System package managers (apt, yum, dnf) modifying /etc/shadow during user account package installations"
  - "Configuration management tools (Ansible, Puppet, Chef) managing user accounts and updating /etc/shadow"
  - "Legitimate password change operations by passwd, chpasswd, or chage tools — these access /etc/shadow by design"
  - Backup software with root access reading /etc/shadow as part of full system configuration backup
  - "Security scanning tools (Lynis, OpenSCAP) performing compliance checks that read /etc/shadow metadata"
level: critical