This detection rule is designed to alert on attempts by adversaries to access the sensitive files /etc/passwd and /etc/shadow on Linux systems, which are crucial for managing user account information and password hashes. These files are often targeted for credential dumping, enabling attackers to perform offline password cracking. The rule leverages EDR logs to identify the occurrence of processes attempting to access these files, using specific search logic to filter the relevant events from the data stream. By collating data based on timestamps, host, user, and process, the rule facilitates clear visibility into potentially malicious activity related to credential access on endpoint systems. This technique is associated with credential dumping and is linked to threat actor TeamTNT, among others. The rule ensures preventive measures against unauthorized access to crucial credential information.