T1003.007 CrowdStrike LogScale · LogScale

Detect Proc Filesystem in CrowdStrike LogScale

Adversaries on Linux systems read process memory directly via the /proc filesystem to extract credentials from running processes. By accessing /proc/<PID>/maps to identify memory regions and /proc/<PID>/mem to read those regions, attackers dump credentials from processes like sshd, su, sudo, gnome-keyring, and KWallet without injecting code or using ptrace. Tools include MimiPenguin (specifically targeting sshd and gnome-keyring), LaZagne (Linux edition), and PACEMAKER. This technique requires root privileges or the same UID as the target process. Used by threat actors targeting Linux servers where traditional Windows credential tools don't apply.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1003 OS Credential Dumping
Sub-technique
T1003.007 Proc Filesystem
Canonical reference
https://attack.mitre.org/techniques/T1003/007/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1003.007 - Proc Filesystem Credential Dumping
// Pattern 1: Direct /proc/<PID>/mem or maps file access by suspicious processes
#event_simpleName = "SyntheticProcessRollup2" OR #event_simpleName = "ProcessRollup2"
| TargetProcessId != ""
| CommandLine = /\/proc\/\d+\/(mem|maps|environ)/
| CommandLine != /\/(gdb|strace|ltrace)\s/
| case {
    CommandLine = /(mimipenguin|MimiPenguin)/ | RiskLevel := "KnownTool_MimiPenguin";
    CommandLine = /(lazagne|LaZagne)/ | RiskLevel := "KnownTool_LaZagne";
    CommandLine = /pacemaker/i | RiskLevel := "KnownTool_PACEMAKER";
    CommandLine = /(python3?|perl|ruby|bash)/ AND CommandLine = /\/proc\/\d+\/mem/
      AND CommandLine = /(sshd|gnome-keyring|kwallet|sudo)/ | RiskLevel := "HighRisk_TargetedDump";
    CommandLine = /\/proc\/\d+\/mem/ | RiskLevel := "Medium_MemDump";
    CommandLine = /\/proc\/\d+\/(maps|environ)/ | RiskLevel := "Review_ProcEnum";
    * | RiskLevel := "Unknown";
  }
| TargetPID := replace("CommandLine", /.*\/proc\/(\d+)\/.*/,  "\\1")
| groupBy(
    [ComputerName, UserName, ImageFileName, CommandLine, RiskLevel, TargetPID],
    function=[
      count(aid, as=EventCount),
      min(ContextTimeStamp, as=FirstSeen),
      max(ContextTimeStamp, as=LastSeen)
    ]
  )
| RiskLevel != "Unknown"
| sort(LastSeen, order=desc)

// Pattern 2: Known tool names detected via process image name
// Run as companion query:
// #event_simpleName = "ProcessRollup2"
// | ImageFileName = /(mimipenguin|lazagne|pacemaker)/i
// | groupBy([ComputerName, UserName, ImageFileName, CommandLine], function=count(aid, as=Hits))
// | sort(Hits, order=desc)
critical severity high confidence

CrowdStrike LogScale (CQL) detection for T1003.007 Proc Filesystem credential dumping. Queries ProcessRollup2 events for processes accessing /proc/<PID>/mem, /proc/<PID>/maps, and /proc/<PID>/environ, excludes known-safe debuggers, and classifies matches into risk tiers (KnownTool, HighRisk, Medium, Review). Extracts target PID from the command line and aggregates by host/user/process for analyst triage. A companion query surfaces known tool names via image file name matching.

Data Sources

CrowdStrike Falcon Insight EDR — Linux sensor (ProcessRollup2 events)CrowdStrike Falcon Spotlight with Linux agent telemetryHumio/LogScale with CrowdStrike Falcon Data Replicator (FDR) feed

Required Tables

ProcessRollup2SyntheticProcessRollup2

False Positives & Tuning

  • Security operations tooling such as Sysdig or Falco that read /proc entries during runtime security monitoring — these are common in cloud-native Linux environments and run with elevated privileges
  • Linux kernel debugging sessions or kernel module development workflows where developers use gdb or custom tools that indirectly spawn processes accessing /proc/<PID>/mem
  • Backup and snapshot agents (Veeam Linux agent, Commvault) that enumerate process memory mappings during live backup operations on busy Linux servers
Download portable Sigma rule (.yml)

Other platforms for T1003.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1MimiPenguin Linux Credential Dump

    Expected signal: Auditd SYSCALL events for openat on /proc/<PID>/mem with exe=/usr/bin/python3. DeviceFileEvents (if MDE Linux agent present) for /proc/*/mem access by python3. Syslog entries if gnome-keyring or sshd crash due to memory access attempt.

  2. Test 2Manual /proc/mem Credential Extraction

    Expected signal: Auditd SYSCALL openat events for /proc/<PID>/maps with exe=/bin/cat or /bin/bash. Process creation event for pgrep sshd. DeviceProcessEvents for pgrep and cat with /proc path arguments.

  3. Test 3LaZagne Linux Memory Module

    Expected signal: DeviceProcessEvents for lazagne binary execution with 'memory' argument. Auditd execve event for /tmp/lazagne. Auditd openat events for /proc/*/mem if memory module runs. Network connection to GitHub for download (DeviceNetworkEvents).

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1003.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1003OS Credential Dumping

Related Sub-techniques

T1003.001LSASS MemoryT1003.002Security Account ManagerT1003.003NTDST1003.004LSA SecretsT1003.005Cached Domain CredentialsT1003.006DCSyncT1003.008/etc/passwd and /etc/shadow

Related Techniques

T1003OS Credential DumpingT1003.008/etc/passwd and /etc/shadowT1068Exploitation for Privilege EscalationT1552.003Bash HistoryT1021.004SSH

Same Tactic: Credential Access

Popular Detections