/etc/passwd and /etc/shadow
Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user. The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper: # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
Open detection, hunting, mitigation, and evidence workspace
Detection logic
The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access /etc/passwd and /etc/shadow, alerting on the pid, process name, and arguments of such programs.