T1003.007 Proc Filesystem Mappings

Adversaries may gather credentials from information stored in the Proc filesystem or <code>/proc</code>. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively.

This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin GitHub May 2017), an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1003.007 Proc Filesystem
AC-3 Access Enforcement Protects T1003.007 Proc Filesystem
AC-5 Separation of Duties Protects T1003.007 Proc Filesystem
AC-6 Least Privilege Protects T1003.007 Proc Filesystem
CA-7 Continuous Monitoring Protects T1003.007 Proc Filesystem
CM-2 Baseline Configuration Protects T1003.007 Proc Filesystem
CM-5 Access Restrictions for Change Protects T1003.007 Proc Filesystem
CM-6 Configuration Settings Protects T1003.007 Proc Filesystem
IA-2 Identification and Authentication (organizational Users) Protects T1003.007 Proc Filesystem
IA-5 Authenticator Management Protects T1003.007 Proc Filesystem
SC-28 Protection of Information at Rest Protects T1003.007 Proc Filesystem
SC-39 Process Isolation Protects T1003.007 Proc Filesystem
SI-3 Malicious Code Protection Protects T1003.007 Proc Filesystem
SI-4 System Monitoring Protects T1003.007 Proc Filesystem
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1003.007 OS Credential Dumping: Proc Filesystem
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.007 OS Credential Dumping: Proc Filesystem
attribute.confidentiality.data_disclosure related-to T1003.007 OS Credential Dumping: Proc Filesystem