title: Proc Filesystem (T1003.007)
id: df00tech-t1003-007
status: experimental
description: "Adversaries on Linux systems read process memory directly via the /proc filesystem to extract credentials from running processes. By accessing /proc/<PID>/maps to identify memory regions and /proc/<PID>/mem to read those regions, attackers dump credentials from processes like sshd, su, sudo, gnome-keyring, and KWallet without injecting code or using ptrace. Tools include MimiPenguin (specifically targeting sshd and gnome-keyring), LaZagne (Linux edition), and PACEMAKER. This technique requires root privileges or the same UID as the target process. Used by threat actors targeting Linux servers where traditional Windows credential tools don't apply."
references:
  - https://attack.mitre.org/techniques/T1003/007/
  - https://df00tech.com/detections/T1003.007
author: df00tech
date: 2026/04/13
tags:
  - attack.t1003.007
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "GDB debugger sessions legitimately accessing /proc/<PID>/mem when debugging application crashes or memory issues"
  - "Security tools like Valgrind, Sanitizers, or custom profilers reading process memory maps for performance analysis"
  - "Legitimate Python debugging frameworks (pdb, pydevd) accessing /proc for process introspection"
  - "System monitoring tools (htop, systemd-coredump) reading /proc/<PID>/maps for process information display"
  - Container orchestration tools like containerd or Docker reading /proc entries for container lifecycle management
level: critical