Skip to content

DET0593 Detecting OS Credential Dumping via /proc Filesystem Access on Linux

Item Value
ID DET0593
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1003.007 (Proc Filesystem)

Analytics

Linux

AN1631

Monitoring adversary access to sensitive process memory via the /proc filesystem to extract credential material, often involving multi-step access to /proc/[pid]/mem or /proc/[pid]/maps combined with privilege escalation or credential scraping binaries.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL open, read
File Modification (DC0061) auditd:SYSCALL write
Process Access (DC0035) auditd:SYSCALL ptrace or process_vm_readv
Process Creation (DC0032) linux:Sysmon EventCode=1
Mutable Elements
Field Description
AccessedFilePath Monitored paths such as /proc/[pid]/mem or /proc/[pid]/maps may need to be scoped based on environment
ProcessName Command-line or binary names associated with credential scraping tools may vary
UserContext Elevated user or unexpected user context accessing other process memory may indicate malicious activity
TimeWindow Correlating memory access with process creation or ptrace activity within a specific time range