T1003.007: Proc Filesystem
Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/
When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns indicative of credentials. Adversaries may use regex patterns, such as grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | cut -d' ' -f 1, to look for fixed strings in memory structures or cached hashes.[3] When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.[4][5]
If running as or with the permissions of a web browser, a process can search the `/maps` & `/mem` locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.
Analyst context for executives and security teams
This Linux credential-access behavior matters because it targets secrets that may be sitting in process memory and exposed through the /proc pseudo-filesystem. If an attacker gains root privileges, or runs with the permissions of a process that can read its own memory, they may be able to recover cleartext credentials, hashes, or browser-related credential material. For leaders, the practical risk is credential reuse after an initial compromise: one affected Linux host can become a source of accounts that enable broader access.
Executive priority
Prioritize this as a Linux identity and incident-response readiness issue, not just a malware signature problem. Executives should ask whether privileged access to Linux systems is tightly controlled, whether SOC teams can see suspicious access to /proc/<PID>/maps and /proc/<PID>/mem, and whether incident responders have a playbook for credential exposure after Linux host compromise. This technique also supports audit and compliance conversations around privileged account management, password policy, logging, and evidence that sensitive credentials are not unnecessarily exposed in application memory.
Technical view
T1003.007 is a Linux sub-technique of OS Credential Dumping under Credential Access. The supplied ATT&CK description centers on adversaries inspecting process memory mappings and memory contents through /proc, especially when running as root or within the permissions of a process such as a browser. SOC and detection engineering teams should validate DET0593-style coverage for abnormal process access to /proc memory interfaces, especially access patterns involving /proc/<PID>/maps and /proc/<PID>/mem by unexpected processes, scripts, or credential-dumping tools. Relationship context identifies MimiPenguin, LaZagne, and PACEMAKER as software that uses this behavior, so detections should not rely only on tool names; they should also look for the underlying filesystem and process-memory access behavior.
Likely telemetry
- Linux process execution telemetry, including command line, parent process, user, and privilege context
- File access telemetry for /proc/<PID>/maps and /proc/<PID>/mem where available
- Audit logs showing privileged account use, sudo/root activity, and access to sensitive process memory interfaces
- Endpoint detection telemetry from Linux hosts capable of recording process-to-file interactions
- Shell/script execution evidence on Linux systems
Detection direction
- Validate whether Linux telemetry records reads or attempted reads of /proc/<PID>/maps and /proc/<PID>/mem; many environments collect process starts but not detailed /proc file access.
- Tune for suspicious combinations: unexpected process memory inspection, root-context access across multiple processes, scripting utilities reading /proc memory-related paths, or browser-context processes searching their own memory.
- Use DET0593 as the relationship-driven detection strategy reference, but confirm locally what data sources are actually available and retained.
- Account for legitimate debugging, troubleshooting, profiling, and administrative activity that may access /proc; detections should include user role, host role, process lineage, and change-window context.
- Do not depend solely on known software names such as MimiPenguin, LaZagne, or PACEMAKER because the ATT&CK behavior can be implemented with other tooling or scripts.
Mitigation priorities
- Start with M1026 Privileged Account Management: restrict root and administrative access, enforce least privilege, monitor privileged sessions, and maintain accountability through logging and auditing.
- Apply M1027 Password Policies to reduce downstream risk if credentials or hashes are exposed, including strong password practices and controls against reuse where applicable.
- Review Linux services and applications for cases where credentials may remain in cleartext process memory; prioritize high-value systems and internet-facing workloads.
- Harden operational practices around debugging and memory inspection so legitimate access to /proc memory interfaces is limited, logged, and explainable.
- Ensure incident response procedures include credential rotation and account review when Linux process-memory credential dumping is suspected.
Analyst notes and limits
The ATT&CK object has no official detection text, so this take relies on the technique description and supplied relationships. The strongest defensive decision point is whether the organization can observe and investigate suspicious /proc memory access on Linux, especially under privileged accounts. The software relationships show this behavior is used by multiple tools, including Linux-focused and cross-platform credential recovery tools, but those relationships should be treated as context rather than a complete detection list.
The supplied fields do not prove current exploitation, specific victim exposure, or guaranteed detectability. Detection feasibility depends on local Linux audit, EDR, and logging configuration. The mitigation relationship descriptions are broad, and environment-specific hardening details require local system, application, and identity architecture review.
Proc Filesystem
Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/
When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns indicative of credentials. Adversaries may use regex patterns, such as grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | cut -d' ' -f 1, to look for fixed strings in memory structures or cached hashes.[3] When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.[4][5]
If running as or with the permissions of a web browser, a process can search the `/maps` & `/mem` locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1003 | OS Credential Dumping | This object subtechnique of OS Credential Dumping. |
Groups, software, and campaigns
S1109: PACEMAKER
S0349: LaZagne
S0179: MimiPenguin
MimiPenguin is a credential dumper, similar to Mimikatz, designed specifically for Linux platforms. [1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | a45f446ec661… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Picus Labs Proc cump 2022
Huseyin Can YUCEEL & Picus Labs. (2022, March 22). Retrieved March 31, 2023.
Open source URL -
[2]
baeldung Linux proc map 2022
baeldung. (2022, April 8). Understanding the Linux /proc/id/maps File. Retrieved March 31, 2023.
Open source URL -
[3]
atomic-red proc file system
Atomic Red Team. (2023, November). T1003.007 - OS Credential Dumping: Proc Filesystem. Retrieved March 28, 2024.
Open source URL -
[4]
MimiPenguin GitHub May 2017
Gregal, H. (2017, May 12). MimiPenguin. Retrieved December 5, 2017.
Open source URL -
[5]
Polop Linux PrivEsc Gitbook
Carlos Polop. (2023, March 5). Linux Privilege Escalation. Retrieved March 31, 2023.
Open source URL -
[6]
mitre-attack T1003.007Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.