| ID | Name |
|---|---|
| ATAGS-T1121.001 | /etc/passwd and /etc/shadow |
| ATAGS-T1121.002 | Cached Domain Credentials |
| ATAGS-T1121.003 | DCSync |
| ATAGS-T1121.004 | LSA Secrets |
| ATAGS-T1121.005 | LSASS Memory |
| ATAGS-T1121.006 | NTDS |
| ATAGS-T1121.007 | Proc Filesystem |
| ATAGS-T1121.008 | Security Account Manager |
Threat Actors may attempt to dump the contents of /etc/passwdand /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information, including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.