This detection rule is designed to identify the execution of the 'unshadow' utility, which is a component of John the Ripper—a password-cracking tool. The 'unshadow' utility consolidates the contents of the '/etc/shadow' and '/etc/passwd' files, making user credentials vulnerable to cracking attempts. When malicious actors leverage this tool, they gather critical credential information that can potentially facilitate unauthorized access in future attacks. The combination of these files is indicative of preparatory activity for credential attacks. The rule analyzes process events specifically on Linux-based systems, triggering an alert when 'unshadow' is executed with a requisite number of arguments, signaling possible credential dumping activities. This alert can help security teams to detect, analyze, and respond to incidents reflecting the execution of credential dumping operations, ensuring tighter security over sensitive user account information.