Detect Proc Filesystem in Google Chronicle
Adversaries on Linux systems read process memory directly via the /proc filesystem to extract credentials from running processes. By accessing /proc/<PID>/maps to identify memory regions and /proc/<PID>/mem to read those regions, attackers dump credentials from processes like sshd, su, sudo, gnome-keyring, and KWallet without injecting code or using ptrace. Tools include MimiPenguin (specifically targeting sshd and gnome-keyring), LaZagne (Linux edition), and PACEMAKER. This technique requires root privileges or the same UID as the target process. Used by threat actors targeting Linux servers where traditional Windows credential tools don't apply.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1003 OS Credential Dumping
- Sub-technique
- T1003.007 Proc Filesystem
- Canonical reference
- https://attack.mitre.org/techniques/T1003/007/
YARA-L Detection Query
rule t1003_007_proc_filesystem_credential_dumping {
meta:
author = "Argus Detection Engineering"
description = "Detects /proc filesystem-based credential dumping (T1003.007) via direct access to /proc/<PID>/mem, maps, or environ by suspicious processes, or execution of known Linux credential harvesting tools."
mitre_attack_technique = "T1003.007"
mitre_attack_tactic = "Credential Access"
severity = "CRITICAL"
priority = "HIGH"
created = "2026-04-13"
version = "1.0"
events:
(
// Pattern 1: Direct /proc/<PID>/mem or maps or environ access
$e.metadata.event_type = "FILE_OPEN"
and re.regex($e.target.file.full_path, `/proc/\d+/(mem|maps|environ)`)
and not re.regex($e.principal.process.file.full_path, `/(gdb|strace|ltrace|cat|ls)$`)
and not re.regex($e.principal.process.file.full_path, `/usr/bin/(gdb|strace|ltrace)$`)
)
or
(
// Pattern 2: Known credential dumping tool execution
$e.metadata.event_type = "PROCESS_LAUNCH"
and (
re.regex($e.principal.process.command_line, `(?i)(mimipenguin|lazagne|pacemaker)`)
or re.regex($e.target.process.file.full_path, `(?i)(mimipenguin|lazagne|pacemaker)`)
or (
re.regex($e.target.process.file.full_path, `python3?$`)
and re.regex($e.target.process.command_line, `lazagne`)
and re.regex($e.target.process.command_line, `(memory|all)`)
)
)
)
or
(
// Pattern 3: Scripting language accessing /proc mem combined with sensitive process targeting
$e.metadata.event_type = "FILE_OPEN"
and re.regex($e.target.file.full_path, `/proc/\d+/mem`)
and re.regex($e.principal.process.file.full_path, `(python3?|perl|ruby|bash)$`)
and re.regex($e.principal.process.command_line, `(sshd|gnome-keyring|kwallet|sudo|su)`)
)
outcome:
$risk_score = if(
re.regex($e.principal.process.file.full_path, `(python3?|perl|ruby|bash)$`)
and re.regex($e.target.file.full_path, `/proc/\d+/mem`), 95,
if(re.regex($e.principal.process.command_line, `(?i)(mimipenguin|lazagne|pacemaker)`), 100, 75)
)
$target_proc_path = $e.target.file.full_path
$initiating_process = $e.principal.process.file.full_path
$command_line = $e.principal.process.command_line
$hostname = $e.principal.hostname
$user = $e.principal.user.userid
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1003.007 Proc Filesystem credential dumping on Linux endpoints. Covers three behavioral patterns: (1) direct file access to /proc/<PID>/mem, maps, or environ by non-debugger processes, (2) execution of known credential harvesting tools (MimiPenguin, LaZagne, PACEMAKER), and (3) scripting language interpreters accessing /proc/<PID>/mem targeting sensitive processes like sshd and gnome-keyring. Risk scores are computed per match type.
Data Sources
Required Tables
False Positives & Tuning
- Authorized penetration testing or red team exercises using MimiPenguin or LaZagne against pre-approved Linux target systems
- Application performance management tools (APM agents such as AppDynamics JVM agent on Linux) that access /proc entries for memory sampling
- Container orchestration platforms reading /proc data for cgroup accounting, namespace inspection, or health checking of sidecar processes
Other platforms for T1003.007
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MimiPenguin Linux Credential Dump
Expected signal: Auditd SYSCALL events for openat on /proc/<PID>/mem with exe=/usr/bin/python3. DeviceFileEvents (if MDE Linux agent present) for /proc/*/mem access by python3. Syslog entries if gnome-keyring or sshd crash due to memory access attempt.
- Test 2Manual /proc/mem Credential Extraction
Expected signal: Auditd SYSCALL openat events for /proc/<PID>/maps with exe=/bin/cat or /bin/bash. Process creation event for pgrep sshd. DeviceProcessEvents for pgrep and cat with /proc path arguments.
- Test 3LaZagne Linux Memory Module
Expected signal: DeviceProcessEvents for lazagne binary execution with 'memory' argument. Auditd execve event for /tmp/lazagne. Auditd openat events for /proc/*/mem if memory module runs. Network connection to GitHub for download (DeviceNetworkEvents).
References (6)
- https://attack.mitre.org/techniques/T1003/007/
- https://github.com/huntergregal/mimipenguin
- https://github.com/AlessandroZ/LaZagne
- https://security.stackexchange.com/questions/91040/what-is-proc-pid-mem
- https://www.slideshare.net/roottoor1/linux-credential-access-techniques
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md
Unlock Pro Content
Get the full detection package for T1003.007 including response playbook, investigation guide, and atomic red team tests.