OS Credential Dumping: Proc Filesystem

Other sub-techniques of OS Credential Dumping (8)

ID	Name
T1003.001	LSASS Memory
T1003.002	Security Account Manager
T1003.003	NTDS
T1003.004	LSA Secrets
T1003.005	Cached Domain Credentials
T1003.006	DCSync
T1003.007	Proc Filesystem
T1003.008	/etc/passwd and /etc/shadow

Adversaries may gather credentials from the proc filesystem or /proc. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the /proc/<PID>/maps file shows how memory is mapped within the process’s virtual address space. And /proc/<PID>/mem, exposed for debugging purposes, provides access to the process’s virtual address space.^[1]^[2]

When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns indicative of credentials. Adversaries may use regex patterns, such as grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | cut -d' ' -f 1, to look for fixed strings in memory structures or cached hashes.^[3] When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.^[4]^[5]

If running as or with the permissions of a web browser, a process can search the /maps & /mem locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.

ID: T1003.007

Sub-technique of: T1003

ⓘ

Tactic: Credential Access

ⓘ

Platforms: Linux

Contributors: Tim (Wadhwa-)Brown

Version: 1.2

Created: 11 February 2020

Last Modified: 15 October 2024

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
S0349	LaZagne	LaZagne can use the `<PID>/maps` and `<PID>/mem` files to identify regex patterns to dump cleartext passwords from the browser's process memory.^[6]^[1]
S0179	MimiPenguin	MimiPenguin can use the `<PID>/maps` and `<PID>/mem` file to search for regex patterns and dump the process memory.^[4]^[1]
S1109	PACEMAKER	PACEMAKER has the ability to extract credentials from OS memory.^[7]

Mitigations

ID	Mitigation	Description
M1027	Password Policies	Ensure that root accounts have complex, unique passwords across all systems on the network.
M1026	Privileged Account Management	Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing sensitive information.

Detection

ID Data Source Data Component Detects

ID	Data Source	Data Component	Detects
DS0017	Command	Command Execution	Monitor executed commands and arguments that may gather credentials from information stored in the Proc filesystem or `/proc`. For instance, adversaries may use regex patterns to search for process memory that may be exfiltrated or searched for credentials.^[3]^[8] `grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps \| grep -E 'heap\|stack' \| cut -d' ' -f 1` `grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps \| grep heap \| cut -d' ' -f 1` Analytic 1 - Unexpected access to /proc filesystem. `index=os sourcetype="linux_audit" command IN ("grep -E '^[0-9a-f-] r' /proc//maps", "cat /proc//maps", "awk '{print $1}' /proc//maps")`
DS0022	File	File Access	Monitor for unexpected access to passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path `/proc/\/maps`, where the `\` directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs. Analytic 1 - Unauthorized access to /proc filesystem. `index=os sourcetype="linux_audit" command IN ("grep -E '^[0-9a-f-] r' /proc//maps")`

DS0017

Command

Command Execution

Monitor executed commands and arguments that may gather credentials from information stored in the Proc filesystem or /proc. For instance, adversaries may use regex patterns to search for process memory that may be exfiltrated or searched for credentials.^[3]^[8]

grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | grep -E 'heap|stack' | cut -d' ' -f 1

grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1

Analytic 1 - Unexpected access to /proc filesystem.

index=os sourcetype="linux_audit" command IN ("grep -E '^[0-9a-f-] r' /proc//maps", "cat /proc//maps", "awk '{print $1}' /proc//maps")

DS0022

File

File Access

Monitor for unexpected access to passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc/\/maps, where the \ directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.

Analytic 1 - Unauthorized access to /proc filesystem.

index=os sourcetype="linux_audit" command IN ("grep -E '^[0-9a-f-] r' /proc//maps")

OS Credential Dumping: Proc Filesystem

Other sub-techniques of OS Credential Dumping (8)

Procedure Examples

Mitigations

Detection

References