Description
Adversaries may gather credentials from the proc filesystem or /proc. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the /proc/ file shows how memory is mapped within the process’s virtual address space. And /proc/, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns indicative of credentials. Adversaries may use regex patterns, such as grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | cut -d' ' -f 1, to look for fixed strings in memory structures or cached hashes.(Citation: atomic-red proc file system) When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook)
If running as or with the permissions of a web browser, a process can search the /maps & /mem locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.
Mimikatz Tutorial
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (2)
Password PoliciesM1027
Ensure that root accounts have complex, unique passwords across all systems on the network.
Privileged Account ManagementM1026
Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing sensitive information.
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S1109 | PACEMAKER | Malware | [PACEMAKER](https://attack.mitre.org/software/S1109) has the ability to extract credentials from OS memory.(Citation: Mandiant Pulse Secure Zero-Day A... |
| S0349 | LaZagne | Tool | [LaZagne](https://attack.mitre.org/software/S0349) can use the `<PID>/maps` and `<PID>/mem` files to identify regex patterns to dump cleartext passwor... |
| S0179 | MimiPenguin | Tool | [MimiPenguin](https://attack.mitre.org/software/S0179) can use the `<PID>/maps` and `<PID>/mem` file to search for regex patterns and dump the process... |
Related CWE Weaknesses
References
- Atomic Red Team. (2023, November). T1003.007 - OS Credential Dumping: Proc Filesystem. Retrieved March 28, 2024.
- baeldung. (2022, April 8). Understanding the Linux /proc/id/maps File. Retrieved March 31, 2023.
- Carlos Polop. (2023, March 5). Linux Privilege Escalation. Retrieved March 31, 2023.
- Gregal, H. (2017, May 12). MimiPenguin. Retrieved December 5, 2017.
- Huseyin Can YUCEEL & Picus Labs. (2022, March 22). Retrieved March 31, 2023.
Frequently Asked Questions
What is T1003.007 (Proc Filesystem)?
T1003.007 is a MITRE ATT&CK technique named 'Proc Filesystem'. It belongs to the Credential Access tactic(s). Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtu...
How can T1003.007 be detected?
Detection of T1003.007 (Proc Filesystem) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1003.007?
There are 2 documented mitigations for T1003.007. Key mitigations include: Password Policies, Privileged Account Management.
Which threat groups use T1003.007?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.