1. Home
  2. Techniques
  3. Enterprise
  4. OS Credential Dumping
  5. Proc Filesystem

OS Credential Dumping: Proc Filesystem

ID Name
T1003.001 LSASS Memory
T1003.002 Security Account Manager
T1003.003 NTDS
T1003.004 LSA Secrets
T1003.005 Cached Domain Credentials
T1003.006 DCSync
T1003.007 Proc Filesystem
T1003.008 /etc/passwd and /etc/shadow

Adversaries may gather credentials from the proc filesystem or /proc. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the /proc/<PID>/maps file shows how memory is mapped within the process’s virtual address space. And /proc/<PID>/mem, exposed for debugging purposes, provides access to the process’s virtual address space.[1][2]

When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns indicative of credentials. Adversaries may use regex patterns, such as grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | cut -d' ' -f 1, to look for fixed strings in memory structures or cached hashes.[3] When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.[4][5]

If running as or with the permissions of a web browser, a process can search the /maps & /mem locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.

ID: T1003.007
Sub-technique of:  T1003
Tactic: Credential Access
Platforms: Linux
Contributors: Tim (Wadhwa-)Brown
Version: 1.2
Created: 11 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0349 LaZagne

LaZagne can use the <PID>/maps and <PID>/mem files to identify regex patterns to dump cleartext passwords from the browser's process memory.[6][1]
S0179 MimiPenguin

MimiPenguin can use the <PID>/maps and <PID>/mem file to search for regex patterns and dump the process memory.[4][1]
S1109 PACEMAKER

PACEMAKER has the ability to extract credentials from OS memory.[7]

Mitigations

ID Mitigation Description
M1027 Password Policies

Ensure that root accounts have complex, unique passwords across all systems on the network.
M1026 Privileged Account Management

Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing sensitive information.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0593 Detecting OS Credential Dumping via /proc Filesystem Access on Linux AN1631

Monitoring adversary access to sensitive process memory via the /proc filesystem to extract credential material, often involving multi-step access to /proc/[pid]/mem or /proc/[pid]/maps combined with privilege escalation or credential scraping binaries.

References

  1. Huseyin Can YUCEEL & Picus Labs. (2022, March 22). Retrieved March 31, 2023.
  2. baeldung. (2022, April 8). Understanding the Linux /proc/id/maps File. Retrieved March 31, 2023.
  3. Atomic Red Team. (2023, November). T1003.007 - OS Credential Dumping: Proc Filesystem. Retrieved March 28, 2024.
  4. Gregal, H. (2017, May 12). MimiPenguin. Retrieved December 5, 2017.
  1. Carlos Polop. (2023, March 5). Linux Privilege Escalation. Retrieved March 31, 2023.
  2. Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
  3. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.