Esc

Proc Filesystem - T1003.007

(ATT&CK® Technique)

Definition

Adversaries may gather credentials from the proc filesystem or /proc. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the /proc/<PID>/maps file shows how memory is mapped within the process’s virtual address space. And /proc/<PID>/mem, exposed for debugging purposes, provides access to the process’s virtual address space.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1003007["Proc Filesystem"] --> |accesses| OperatingSystemFile["Operating System File"]; class T1003007 OffensiveTechniqueNode;
        class OperatingSystemFile ArtifactNode; click OperatingSystemFile href "/dao/artifact/d3f:OperatingSystemFile";
        click T1003007 href "/offensive-technique/attack/T1003.007/"; click OperatingSystemFile href "/dao/artifact/d3f:OperatingSystemFile"; T1003007["Proc Filesystem"] --> |accesses| ProcessImage["Process Image"]; class T1003007 OffensiveTechniqueNode;
        class ProcessImage ArtifactNode; click ProcessImage href "/dao/artifact/d3f:ProcessImage";
        click T1003007 href "/offensive-technique/attack/T1003.007/"; click ProcessImage href "/dao/artifact/d3f:ProcessImage";                          LocalFilePermissions["Local File Permissions"] -->
          | restricts | OperatingSystemFile["Operating System File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1003007["Proc Filesystem"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class OperatingSystemFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
          | restores | OperatingSystemFile["Operating System File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1003007["Proc Filesystem"] ;
          class RestoreFile DefensiveTechniqueNode;
          class OperatingSystemFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile"; DecoyFile["Decoy File"] -->
          | spoofs | OperatingSystemFile["Operating System File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1003007["Proc Filesystem"] ;
          class DecoyFile DefensiveTechniqueNode;
          class OperatingSystemFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";                                        FileEncryption["File Encryption"] -->
          | encrypts | OperatingSystemFile["Operating System File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1003007["Proc Filesystem"] ;
          class FileEncryption DefensiveTechniqueNode;
          class OperatingSystemFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";  FileEviction["File Eviction"] -->
          | deletes | OperatingSystemFile["Operating System File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1003007["Proc Filesystem"] ;
          class FileEviction DefensiveTechniqueNode;
          class OperatingSystemFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";                        FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | OperatingSystemFile["Operating System File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1003007["Proc Filesystem"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class OperatingSystemFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring";                SystemFileAnalysis["System File Analysis"] -->
          | analyzes | OperatingSystemFile["Operating System File"];

          SystemFileAnalysis["System File Analysis"] -.->
            | may-detect | T1003007["Proc Filesystem"] ;
          class SystemFileAnalysis DefensiveTechniqueNode;
          class OperatingSystemFile ArtifactNode;
          click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | OperatingSystemFile["Operating System File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1003007["Proc Filesystem"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class OperatingSystemFile ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";                           FileAnalysis["File Analysis"] -->
          | analyzes | OperatingSystemFile["Operating System File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1003007["Proc Filesystem"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class OperatingSystemFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";

json