T1003.007 Proc Filesystem Mappings

Adversaries may gather credentials from the proc filesystem or /proc. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the /proc/<PID>/maps file shows how memory is mapped within the process’s virtual address space. And /proc/<PID>/mem, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)

When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns that are indicative of credentials, such as looking for fixed strings in memory structures or cached hashes. When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook)

If running as or with the permissions of a web browser, a process can search the /maps & /mem locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-02 Account Management Protects T1003.007 Proc Filesystem
AC-03 Access Enforcement Protects T1003.007 Proc Filesystem
AC-05 Separation of Duties Protects T1003.007 Proc Filesystem
AC-06 Least Privilege Protects T1003.007 Proc Filesystem
CA-07 Continuous Monitoring Protects T1003.007 Proc Filesystem
CM-02 Baseline Configuration Protects T1003.007 Proc Filesystem
CM-05 Access Restrictions for Change Protects T1003.007 Proc Filesystem
CM-06 Configuration Settings Protects T1003.007 Proc Filesystem
IA-02 Identification and Authentication (organizational Users) Protects T1003.007 Proc Filesystem
IA-05 Authenticator Management Protects T1003.007 Proc Filesystem
SC-28 Protection of Information at Rest Protects T1003.007 Proc Filesystem
SC-39 Process Isolation Protects T1003.007 Proc Filesystem
SI-03 Malicious Code Protection Protects T1003.007 Proc Filesystem
SI-04 System Monitoring Protects T1003.007 Proc Filesystem