[T1003.007 ] OS Credential Dumping: Proc Filesystem β Adversaries can extract credentials and cached secrets from Linux process memory exposed via the /proc pseudo-filesystem, leveraging files like /proc//maps and /proc//mem to locate cleartext passwords or hashes. Monitoring access to these proc files and scanning process memory usage patterns helps detect and mitigate this technique. #OSCredentialDumping #ProcFilesystem
Keypoints
- Attackers read /proc//maps and /proc//mem to locate process memory regions that contain credentials.
- Root or elevated access allows scanning all PIDs; unprivileged processes can still inspect their own memory for stored secrets.
- Regex and memory-scan tools (grep, strings, custom scripts) are commonly used to find cleartext credentials and hashes.
- Auditd file watches and EDR hooks on open/read syscalls provide practical detection points for suspicious proc access.
- Mitigations include avoiding cleartext credential storage in memory, using credential managers, and restricting /proc access with namespace and permissions controls.
Description:
- Like rifling through a row of open notebooks to find a sticky note with a password, attackers scan a systemβs process memory via /proc to find secrets left in application memory.
- The technique reads /proc//maps to find memory regions and /proc//mem to read those regions. By searching for patterns or known credential formats, adversaries can extract plaintext passwords, session tokens, or hashed credentials, enabling lateral movement, privilege escalation, or account takeover.
Detection:
- Use Auditd to watch for open/read on /proc/*/maps and /proc/*/mem. Alert on unexpected processes accessing other PIDsβ maps or mem files. Include PID, uid, executable path, and arguments in alerts.
- Deploy EDR rules to monitor ptrace, process_vm_readv, open, and pread syscalls against /proc/*/mem and /proc/*/maps. Block or quarantine processes that attempt cross-PID reads without expected justification.
- Log and monitor command execution for common scanning commands and regex usage (examples: grep -E β^[0-9a-f-]* rβ /proc/β$pidβ/maps, strings /proc/*/mem). Tie shell/history logs to process access events for context.
- Collect and analyze /var/log/audit/audit.log and kernel syscall logs for patterns of repeated reads across many PIDs. Flag bursts of proc access from a single user or binary as suspicious.
- Watch web browser and service processes for internal memory scanning behavior. Correlate network activity or child process creation from browsers with proc file access to identify in-process credential harvesting.
- Be aware of false positives from legitimate debugging or admin tools. Maintain an allowlist of approved debuggers and scheduled maintenance windows. Require elevated, signed tools for debugging where possible.
- Harden detection by combining file-access alerts with behavioral indicators: sudden credential use, new authentication attempts, or lateral connections after proc reads. Use threat intelligence to map detections to known tools (e.g., MimiPenguin) and tune alerts accordingly.
Tactics:
Credential Access
Platforms:
Linux
Data Sources:
Command: Command Execution, File: File Access
Relationship Citations:
(Citation: Mandiant Pulse Secure Zero-Day April 2021),(Citation: Picus Labs Proc cump 2022),(Citation: MimiPenguin GitHub May 2017),(Citation: GitHub LaZagne Dec 2018),