Loading threats
Execution of grep -c ':' /etc/passwd 2>/dev/null to count the number of colon-delimited entries in /etc/passwd, effectively returning the total number of user account records. This pattern reflects local account enumeration and environment profiling activity, commonly performed after shell access to assess system population or detect sandbox anomalies.
This attack primitive is part of the SikkerAPI detection catalog and is actively monitored across our global honeypot network. No IPs in the current retention window have triggered this detection signature.
When an attacker triggers this primitive, matched IPs will appear here with confidence scores, geolocation, and session details. Browse other SSH detections or look up a specific IP to check its threat profile.