T1003.007 Proc Filesystem Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let ProcMemAccess = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath matches regex @"/proc/\d+/mem"
    or FolderPath matches regex @"/proc/\d+/maps"
    or FolderPath matches regex @"/proc/\d+/environ"
| where InitiatingProcessFileName !in~ ("gdb", "strace", "ltrace", "python3", "python")
    or InitiatingProcessCommandLine has_any ("sshd", "gnome-keyring", "kwallet", "su", "sudo")
| project Timestamp, DeviceName, AccountName, FolderPath, FileName,
          InitiatingProcessFileName, InitiatingProcessCommandLine;
let MimiPenguinPattern = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
    "mimipenguin", "MimiPenguin",
    "/proc/", "gnome-keyring",
    "sshd", "kwallet-daemon"
  )
    and ProcessCommandLine has "/proc/"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
let LaZagneLinux = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "python3" or FileName =~ "python"
| where ProcessCommandLine has "lazagne" and ProcessCommandLine has_any ("memory", "all")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
union ProcMemAccess, MimiPenguinPattern, LaZagneLinux
| sort by Timestamp desc

critical severity high confidence

Data Sources

File: File Access Process: Process Creation Command: Command Execution

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

GDB debugger sessions legitimately accessing /proc/<PID>/mem when debugging application crashes or memory issues
Security tools like Valgrind, Sanitizers, or custom profilers reading process memory maps for performance analysis
Legitimate Python debugging frameworks (pdb, pydevd) accessing /proc for process introspection
System monitoring tools (htop, systemd-coredump) reading /proc/<PID>/maps for process information display
Container orchestration tools like containerd or Docker reading /proc entries for container lifecycle management

Splunk

spl

index=linux_logs
  (sourcetype="linux_auditd" OR sourcetype="auditd")
  (syscall=open OR syscall=openat OR syscall=read)
  (name="/proc/*/mem" OR name="/proc/*/maps" OR name="/proc/*/environ")
  NOT (exe="/usr/bin/gdb" OR exe="/usr/bin/strace" OR exe="/usr/bin/cat")
| eval proc_pid=replace(name, "/proc/(\d+)/.*", "\1")
| eval suspicious=if(match(exe, "python|perl|ruby|bash") AND match(name, "/proc/\d+/mem"), "HighRisk", "Review")
| table _time, host, exe, uid, pid, proc_pid, name, suspicious
| sort - _time
| union
  [search index=linux_logs sourcetype="linux_secure" OR sourcetype="syslog"
   ("mimipenguin" OR "MimiPenguin" OR "lazagne" OR "PACEMAKER")
  | table _time, host, process, message
  | sort - _time]

critical severity high confidence

Data Sources

Linux: Auditd Syscall Events Process: Process Creation File: File Access

Required Sourcetypes

linux_auditd auditd linux_secure syslog

False Positives

GDB, strace, or ltrace accessing /proc/<PID>/mem for legitimate debugging sessions
Performance profilers (perf, pprof) reading process maps to resolve stack frames
Application monitoring agents (Datadog, New Relic) using /proc for metric collection
Core dump utilities reading process memory after crashes (systemd-coredump, apport)
Container introspection tools reading /proc for namespace and cgroup information

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [file where event.type in ("access", "open") and
    file.path : ("/proc/*/mem", "/proc/*/maps", "/proc/*/environ") and
    not process.name in ("gdb", "strace", "ltrace") and
    not process.executable in ("/usr/bin/gdb", "/usr/bin/strace", "/usr/bin/ltrace", "/usr/bin/cat", "/usr/bin/ls")
  ] by process.pid
  [process where event.type == "start" and
    (process.args : ("/proc/*/mem", "/proc/*/maps") or
     process.name in ("mimipenguin", "lazagne", "pacemaker"))
  ] by process.pid

OR

process where event.type == "start" and
  (
    (process.name in ("python3", "python") and
     process.args : "lazagne" and
     process.args : ("memory", "all"))
    or
    process.name : "mimipenguin*"
    or
    (process.args : "/proc/*/mem" and
     process.args : ("sshd", "gnome-keyring", "kwallet", "su", "sudo"))
  )

critical severity high confidence

Data Sources

Elastic Endpoint Security Agent (Linux) Auditbeat with file integrity and process modules

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-* auditbeat-*

False Positives

Legitimate debuggers (gdb, strace, ltrace) accessing /proc/<PID>/mem during authorized debugging sessions — excluded by process name filter but may appear if called indirectly
System monitoring tools such as htop, procps, or performance agents (Datadog, New Relic, Dynatrace) that enumerate /proc for resource tracking
Python-based administration scripts that iterate /proc for process management or monitoring, particularly in containerized environments

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "HOST"(sourceip) AS hostname,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category,
  "processname" AS process_name,
  "filepath" AS file_path,
  CASE
    WHEN LOWER("processname") IN ('mimipenguin', 'lazagne', 'pacemaker') THEN 'KnownCredDumpTool'
    WHEN LOWER("processname") IN ('python3', 'python', 'perl', 'ruby', 'bash')
     AND "filepath" LIKE '/proc/%/mem' THEN 'HighRisk'
    WHEN "filepath" LIKE '/proc/%/maps'
      OR "filepath" LIKE '/proc/%/environ' THEN 'Review'
    ELSE 'Unknown'
  END AS risk_level,
  REGEXP_REPLACE("filepath", '/proc/(\\d+)/.*', '\\1') AS target_pid
FROM events
WHERE
  LOGSOURCETYPEID IN (11 /* Linux Syslog */, 191 /* Audit */)
  AND starttime > NOW() - 86400 SECONDS
  AND (
    ("filepath" LIKE '/proc/%/mem'
     OR "filepath" LIKE '/proc/%/maps'
     OR "filepath" LIKE '/proc/%/environ')
    AND LOWER("processname") NOT IN ('gdb', 'strace', 'ltrace', 'cat')
  )
  OR (
    LOWER("processname") IN ('mimipenguin', 'lazagne', 'pacemaker')
  )
  OR (
    LOWER("processname") IN ('python3', 'python')
    AND ("Message" ILIKE '%lazagne%' AND ("Message" ILIKE '%memory%' OR "Message" ILIKE '%all%'))
  )
ORDER BY starttime DESC
LAST 24 HOURS

critical severity medium confidence

Data Sources

Linux Syslog (QRadar DSM) Linux OS Audit (auditd via QRadar) RHEL/CentOS/Debian endpoint log sources

Required Tables

events

False Positives

Performance monitoring agents (Zabbix, Nagios, Prometheus node exporter) that read /proc entries for system metrics — these typically run as root and access maps/status files
Container runtime daemons (containerd, dockerd) that inspect /proc for namespace and cgroup information during container lifecycle operations
Python-based automation scripts run by system administrators for legitimate process introspection or memory profiling

Sumo Logic CSE

sql

(_sourceCategory="linux/audit" OR _sourceCategory="linux/syslog" OR _sourceCategory="os/linux")
| where _raw matches /\/proc\/\d+\/(mem|maps|environ)/ OR _raw matches /mimipenguin|lazagne|pacemaker/i
| parse regex field=_raw "exe=\"(?<exe>[^\"]+)\""
| parse regex field=_raw "name=\"(?<accessed_file>[^\"]+)\""
| parse regex field=_raw "syscall=(?<syscall>\S+)"
| parse regex field=_raw "pid=(?<pid>\d+)"
| parse regex field=_raw "uid=(?<uid>\d+)"
| parse regex field=_raw "hostname=(?<hostname>\S+)"
| parse regex field=accessed_file "/proc/(?<target_pid>\d+)/(?<proc_entry>\S+)" nodrop
| where !(exe matches /\/(gdb|strace|ltrace|cat)$/)
| eval risk = if(exe matches /python|perl|ruby|bash/ && accessed_file matches /\/proc\/\d+\/mem/, "HighRisk",
             if(exe matches /mimipenguin|lazagne|pacemaker/i, "KnownTool",
             if(accessed_file matches /\/proc\/\d+\/(mem|maps|environ)/, "Review", "Unknown")))
| where risk in ("HighRisk", "KnownTool", "Review")
| fields _messageTime, hostname, exe, uid, pid, target_pid, proc_entry, accessed_file, syscall, risk
| sort by _messageTime desc

// Union: Known tool names in syslog/secure logs
// Run separately and correlate:
// (_sourceCategory="linux/secure" OR _sourceCategory="linux/syslog")
// | where _raw matches /mimipenguin|MimiPenguin|lazagne|PACEMAKER/i
// | parse regex "(?<process>\\S+)\\[(?<pid>\\d+)\\]" nodrop
// | fields _messageTime, _sourceHost, process, pid, _raw

critical severity medium confidence

Data Sources

Linux auditd logs via Sumo Logic Installed Collector Linux syslog (/var/log/syslog, /var/log/auth.log, /var/log/secure) Sumo Logic Cloud Syslog source for centralized Linux endpoints

Required Tables

_sourceCategory=linux/audit _sourceCategory=linux/syslog _sourceCategory=linux/secure

False Positives

Security scanning tools such as ClamAV or AIDE that read process memory maps as part of behavioral monitoring or rootkit detection
Language runtimes (Python, Ruby, Perl) executing legitimate administrative tasks that incidentally access /proc entries for self-inspection or inter-process communication
CI/CD pipeline agents or test harnesses that invoke debugging-adjacent tools during integration testing on Linux build nodes

Google Chronicle / SecOps

yaral

rule t1003_007_proc_filesystem_credential_dumping {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects /proc filesystem-based credential dumping (T1003.007) via direct access to /proc/<PID>/mem, maps, or environ by suspicious processes, or execution of known Linux credential harvesting tools."
    mitre_attack_technique = "T1003.007"
    mitre_attack_tactic = "Credential Access"
    severity = "CRITICAL"
    priority = "HIGH"
    created = "2026-04-13"
    version = "1.0"

  events:
    (
      // Pattern 1: Direct /proc/<PID>/mem or maps or environ access
      $e.metadata.event_type = "FILE_OPEN"
      and re.regex($e.target.file.full_path, `/proc/\d+/(mem|maps|environ)`)
      and not re.regex($e.principal.process.file.full_path, `/(gdb|strace|ltrace|cat|ls)$`)
      and not re.regex($e.principal.process.file.full_path, `/usr/bin/(gdb|strace|ltrace)$`)
    )
    or
    (
      // Pattern 2: Known credential dumping tool execution
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e.principal.process.command_line, `(?i)(mimipenguin|lazagne|pacemaker)`)
        or re.regex($e.target.process.file.full_path, `(?i)(mimipenguin|lazagne|pacemaker)`)
        or (
          re.regex($e.target.process.file.full_path, `python3?$`)
          and re.regex($e.target.process.command_line, `lazagne`)
          and re.regex($e.target.process.command_line, `(memory|all)`)
        )
      )
    )
    or
    (
      // Pattern 3: Scripting language accessing /proc mem combined with sensitive process targeting
      $e.metadata.event_type = "FILE_OPEN"
      and re.regex($e.target.file.full_path, `/proc/\d+/mem`)
      and re.regex($e.principal.process.file.full_path, `(python3?|perl|ruby|bash)$`)
      and re.regex($e.principal.process.command_line, `(sshd|gnome-keyring|kwallet|sudo|su)`)
    )

  outcome:
    $risk_score = if(
      re.regex($e.principal.process.file.full_path, `(python3?|perl|ruby|bash)$`)
      and re.regex($e.target.file.full_path, `/proc/\d+/mem`), 95,
      if(re.regex($e.principal.process.command_line, `(?i)(mimipenguin|lazagne|pacemaker)`), 100, 75)
    )
    $target_proc_path = $e.target.file.full_path
    $initiating_process = $e.principal.process.file.full_path
    $command_line = $e.principal.process.command_line
    $hostname = $e.principal.hostname
    $user = $e.principal.user.userid

  condition:
    $e
}

critical severity high confidence

Data Sources

Chronicle UDM events from Linux endpoint telemetry (CrowdStrike, SentinelOne, or Elastic agents forwarding to Chronicle) Google Chronicle Ingestion API with Linux auditd connector Chronicle SOAR Linux endpoint data feeds

Required Tables

UDM events (FILE_OPEN, PROCESS_LAUNCH)

False Positives

Authorized penetration testing or red team exercises using MimiPenguin or LaZagne against pre-approved Linux target systems
Application performance management tools (APM agents such as AppDynamics JVM agent on Linux) that access /proc entries for memory sampling
Container orchestration platforms reading /proc data for cgroup accounting, namespace inspection, or health checking of sidecar processes

CrowdStrike LogScale (CQL)

cql

// T1003.007 - Proc Filesystem Credential Dumping
// Pattern 1: Direct /proc/<PID>/mem or maps file access by suspicious processes
#event_simpleName = "SyntheticProcessRollup2" OR #event_simpleName = "ProcessRollup2"
| TargetProcessId != ""
| CommandLine = /\/proc\/\d+\/(mem|maps|environ)/
| CommandLine != /\/(gdb|strace|ltrace)\s/
| case {
    CommandLine = /(mimipenguin|MimiPenguin)/ | RiskLevel := "KnownTool_MimiPenguin";
    CommandLine = /(lazagne|LaZagne)/ | RiskLevel := "KnownTool_LaZagne";
    CommandLine = /pacemaker/i | RiskLevel := "KnownTool_PACEMAKER";
    CommandLine = /(python3?|perl|ruby|bash)/ AND CommandLine = /\/proc\/\d+\/mem/
      AND CommandLine = /(sshd|gnome-keyring|kwallet|sudo)/ | RiskLevel := "HighRisk_TargetedDump";
    CommandLine = /\/proc\/\d+\/mem/ | RiskLevel := "Medium_MemDump";
    CommandLine = /\/proc\/\d+\/(maps|environ)/ | RiskLevel := "Review_ProcEnum";
    * | RiskLevel := "Unknown";
  }
| TargetPID := replace("CommandLine", /.*\/proc\/(\d+)\/.*/,  "\\1")
| groupBy(
    [ComputerName, UserName, ImageFileName, CommandLine, RiskLevel, TargetPID],
    function=[
      count(aid, as=EventCount),
      min(ContextTimeStamp, as=FirstSeen),
      max(ContextTimeStamp, as=LastSeen)
    ]
  )
| RiskLevel != "Unknown"
| sort(LastSeen, order=desc)

// Pattern 2: Known tool names detected via process image name
// Run as companion query:
// #event_simpleName = "ProcessRollup2"
// | ImageFileName = /(mimipenguin|lazagne|pacemaker)/i
// | groupBy([ComputerName, UserName, ImageFileName, CommandLine], function=count(aid, as=Hits))
// | sort(Hits, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Insight EDR — Linux sensor (ProcessRollup2 events) CrowdStrike Falcon Spotlight with Linux agent telemetry Humio/LogScale with CrowdStrike Falcon Data Replicator (FDR) feed

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Security operations tooling such as Sysdig or Falco that read /proc entries during runtime security monitoring — these are common in cloud-native Linux environments and run with elevated privileges
Linux kernel debugging sessions or kernel module development workflows where developers use gdb or custom tools that indirectly spawn processes accessing /proc/<PID>/mem
Backup and snapshot agents (Veeam Linux agent, Commvault) that enumerate process memory mappings during live backup operations on busy Linux servers

Proc Filesystem

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections