| ID | Name |
|---|---|
| T1003.001 | LSASS Memory |
| T1003.002 | Security Account Manager |
| T1003.003 | NTDS |
| T1003.004 | LSA Secrets |
| T1003.005 | Cached Domain Credentials |
| T1003.006 | DCSync |
| T1003.007 | Proc Filesystem |
| T1003.008 | /etc/passwd and /etc/shadow |
Adversaries may gather credentials from information stored in the Proc filesystem or /proc. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively.
This functionality has been implemented in the MimiPenguin[1], an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.
| ID | Name | Description |
|---|---|---|
| S0349 | LaZagne |
LaZagne can obtain credential information running Linux processes.[2] |
| S0179 | MimiPenguin |
MimiPenguin can dump process memory and extract clear-text credentials.[1] |
| ID | Mitigation | Description |
|---|---|---|
| M1027 | Password Policies |
Ensure that root accounts have complex, unique passwords across all systems on the network. |
| M1026 | Privileged Account Management |
Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing sensitive information. |
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Access |
To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc/*/maps, where the * directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.