Skip to content

T1003.007 Proc Filesystem

Adversaries may gather credentials from information stored in the Proc filesystem or /proc. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively.

This functionality has been implemented in the MimiPenguin1, an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.

Item Value
ID T1003.007
Sub-techniques T1003.001, T1003.002, T1003.003, T1003.004, T1003.005, T1003.006, T1003.007, T1003.008
Tactics TA0006
Platforms Linux
Permissions required root
Version 1.0
Created 11 February 2020
Last Modified 19 March 2020

Procedure Examples

ID Name Description
S0349 LaZagne LaZagne can obtain credential information running Linux processes.2
S0179 MimiPenguin MimiPenguin can dump process memory and extract clear-text credentials.1

Mitigations

ID Mitigation Description
M1027 Password Policies Ensure that root accounts have complex, unique passwords across all systems on the network.
M1026 Privileged Account Management Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing sensitive information.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access

References

  1. Gregal, H. (2017, May 12). MimiPenguin. Retrieved December 5, 2017. 

  2. Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018. 

Back to top