Home/ MITRE Matrix/ Credential Access/ T1003.008

T1003.008/etc/passwd and /etc/shadow

T1003.008 — /etc/passwd and /etc/shadow is a MITRE ATT&CK technique in the Credential Access tactic. Clankerusecase tracks 6 detection use cases covering it and 3 threat-intel articles citing it.

Credential Access

View on the matrix → Filter Detection Library MITRE official spec ↗

6Use cases

3Articles

0Sub-techniques

1Tactic

↑ Parent technique: T1003 · OS Credential Dumping

Use cases covering this technique (6)

ESXi Sensitive Files Accessed ESCU actions · alerting P Linux Auditd Possible Access To Credential Files ESCU actions · hunting P Linux Possible Access To Credential Files ESCU actions · hunting P [LLM] sshd writing to non-standard files (credential-capture log artifact) Bespoke actions · hunting DSPDDCS [LLM] nezha-agent spawning credential-access shell commands on Linux (post-RCE) Bespoke actions · alerting DSΣPDDCS [LLM] TeamPCP Linux credential harvest: Python reading /etc/shadow + auth.log + cloud Bespoke actions · hunting DSPDDCS

Articles citing this technique (3)

crit China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade art-22

crit [GHSA / CRITICAL] CVE-2026-46716: Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron art-213

crit How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM art-443