T1003.007 Proc Filesystem
Adversaries may gather credentials from the proc filesystem or /proc. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the /proc/<PID>/maps file shows how memory is mapped within the process’s virtual address space. And /proc/<PID>/mem, exposed for debugging purposes, provides access to the process’s virtual address space.41
When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns that are indicative of credentials, such as looking for fixed strings in memory structures or cached hashes. When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.32
If running as or with the permissions of a web browser, a process can search the /maps & /mem locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.
| Item | Value |
|---|---|
| ID | T1003.007 |
| Sub-techniques | T1003.001, T1003.002, T1003.003, T1003.004, T1003.005, T1003.006, T1003.007, T1003.008 |
| Tactics | TA0006 |
| Platforms | Linux |
| Version | 1.1 |
| Created | 11 February 2020 |
| Last Modified | 15 April 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0349 | LaZagne | LaZagne can use the <PID>/maps and <PID>/mem files to identify regex patterns to dump cleartext passwords from the browser’s process memory.54 |
| S0179 | MimiPenguin | MimiPenguin can use the <PID>/maps and <PID>/mem file to search for regex patterns and dump the process memory.34 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1027 | Password Policies | Ensure that root accounts have complex, unique passwords across all systems on the network. |
| M1026 | Privileged Account Management | Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing sensitive information. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Access |
References
-
baeldung. (2022, April 8). Understanding the Linux /proc/id/maps File. Retrieved March 31, 2023. ↩
-
Carlos Polop. (2023, March 5). Linux Privilege Escalation. Retrieved March 31, 2023. ↩
-
Gregal, H. (2017, May 12). MimiPenguin. Retrieved December 5, 2017. ↩↩
-
Huseyin Can YUCEEL & Picus Labs. (2022, March 22). Retrieved March 31, 2023. ↩↩↩
-
Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018. ↩