EXPLORE
Sign In
← Back to Explore
T1003.007

Proc Filesystem

Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux...

Linux
5
Detections
1
Sources
0
Threat Actors

BY SOURCE

5elastic

PROCEDURES (4)

Privilege2 detections

Auto-extracted: 2 detections for privilege

Credential1 detections

Auto-extracted: 1 detections for credential

Credential1 detections

Auto-extracted: 1 detections for credential

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

DETECTIONS (5)

Linux init (PID 1) Secret Dump via GDB
elastichigh
Linux Process Hooking via GDB
elasticlow
Manual Memory Dumping via Proc Filesystem
elastichigh
Potential Linux Credential Dumping via Proc Filesystem
elastichigh
Suspicious /proc/maps Discovery
elastichigh