Uncommon access to /etc/passwd

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-05-10

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent with eXtended Threat Hunting (XTH)
Detection Modules
Detector Tags	EDR Discovery Analytics, Credentials Grabbing Analytics
ATT&CK Tactic	Discovery (TA0007) Credential Access (TA0006)
ATT&CK Technique	File and Directory Discovery (T1083) System Service Discovery (T1007) System Owner/User Discovery (T1033) System Information Discovery (T1082) Account Discovery (T1087) Account Discovery: Local Account (T1087.001) OS Credential Dumping (T1003)
Severity	Informational

Description

A process made an uncommon attempt to access /etc/passwd.

Attacker's Goals

Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.

Investigative actions

Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

Variations

Uncommon access to /etc/passwd by a security testing tool

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

A process made an uncommon attempt to access /etc/passwd.

Attacker's Goals

Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.

Investigative actions

Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

Uncommon access to /etc/passwd by a potentially known credential dumper or enumeration script

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

A process made an uncommon attempt to access /etc/passwd.

Attacker's Goals

Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.

Investigative actions

Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

Uncommon access to /etc/passwd by a potential Webshell

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

A process made an uncommon attempt to access /etc/passwd.

Attacker's Goals

Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.

Investigative actions

Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

Uncommon link creation to /etc/passwd

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A process made an uncommon attempt to access /etc/passwd.

Attacker's Goals

Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.

Investigative actions

Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

Uncommon access to /etc/passwd with both /etc/passwd and /etc/shadow in the command line

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A process made an uncommon attempt to access /etc/passwd.

Attacker's Goals

Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.

Investigative actions

Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

Uncommon access to /etc/passwd, involving a network utility

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A process made an uncommon attempt to access /etc/passwd.

Attacker's Goals

Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.

Investigative actions

Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

Uncommon access to /etc/passwd from temporary or world writable directories

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A process made an uncommon attempt to access /etc/passwd.

Attacker's Goals

Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.

Investigative actions

Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

Uncommon access to /etc/passwd with additional sensitive files in the command line

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A process made an uncommon attempt to access /etc/passwd.

Attacker's Goals

Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.

Investigative actions

Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

Uncommon access to /etc/passwd via a new inline bash script

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A process made an uncommon attempt to access /etc/passwd.

Attacker's Goals

Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.

Investigative actions

Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

Uncommon access to /etc/passwd using an interactive binary

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A process made an uncommon attempt to access /etc/passwd.

Attacker's Goals

Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.

Investigative actions

Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.

Uncommon access to /etc/passwd using an interactive shell

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A process made an uncommon attempt to access /etc/passwd.

Attacker's Goals

Attackers may attempt to access sensitive files to steal credentials, perform reconnaissance on system configurations and users, and find pathways for lateral movement.

Investigative actions

Review the event's context - examine the process, its command line, and its origin to gain a comprehensive understanding of the anomalous access.
Assess the behavior's legitimacy: Given that this is an uncommon event, determine if this file access is an expected and authorized behavior for the actor process.