This detection rule identifies and alerts on suspicious access attempts or dumping of the `/etc/passwd` and `/etc/shadow` files on Linux systems. These files are crucial for user account management and storing hashed passwords, respectively. The rule leverages telemetry data collected by Endpoint Detection and Response (EDR) agents, focusing on the invocation of common command-line tools such as `cat`, `nano`, `vim`, and `vi` when accessing these sensitive files. Given that possession of hashed passwords can enable attackers to escalate privileges or maintain persistence within a system, any alerts generated by this rule warrant thorough investigation. It is essential to implement this rule with careful considerations of potential false positives, primarily stemming from legitimate administrative activities.