Potential Linux Credential Dumping via Proc Filesystem
Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/04/26"
3integration = ["endpoint", "sentinel_one_cloud_funnel"]
4maturity = "production"
5min_stack_version = "8.13.0"
6min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
7updated_date = "2025/01/15"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz.
13Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a
14known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the
15process and extracting lines that have a high probability of containing cleartext passwords.
16"""
17from = "now-9m"
18index = ["logs-endpoint.events.*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Potential Linux Credential Dumping via Proc Filesystem"
22references = [
23 "https://github.com/huntergregal/mimipenguin",
24 "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781",
25]
26risk_score = 47
27rule_id = "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311"
28setup = """## Setup
29
30This rule requires data coming in from Elastic Defend.
31
32### Elastic Defend Integration Setup
33Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
34
35#### Prerequisite Requirements:
36- Fleet is required for Elastic Defend.
37- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
38
39#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
40- Go to the Kibana home page and click "Add integrations".
41- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
42- Click "Add Elastic Defend".
43- Configure the integration name and optionally add a description.
44- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
45- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
46- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
47- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
48For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
49- Click "Save and Continue".
50- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
51For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
52"""
53severity = "medium"
54tags = [
55 "Domain: Endpoint",
56 "OS: Linux",
57 "Use Case: Threat Detection",
58 "Tactic: Credential Access",
59 "Use Case: Vulnerability",
60 "Data Source: Elastic Defend",
61 "Data Source: SentinelOne",
62 "Data Source: Elastic Endgame",
63 "Resources: Investigation Guide",
64]
65type = "eql"
66
67query = '''
68sequence by host.id, process.parent.name with maxspan=1m
69 [process where host.os.type == "linux" and process.name == "ps" and event.action in ("exec", "start", "exec_event")
70 and process.args in ("-eo", "pid", "command")]
71 [process where host.os.type == "linux" and process.name == "strings" and event.action in ("exec", "start", "exec_event")
72 and process.args : "/tmp/*"]
73'''
74note = """## Triage and analysis
75
76> **Disclaimer**:
77> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
78
79### Investigating Potential Linux Credential Dumping via Proc Filesystem
80
81The /proc filesystem in Linux provides a window into the system's processes, offering details like memory usage and command-line arguments. Adversaries exploit this by using tools like mimipenguin to extract plaintext credentials from memory, leveraging vulnerabilities such as CVE-2018-20781. The detection rule identifies suspicious sequences involving the 'ps' and 'strings' commands, which are indicative of attempts to access and parse sensitive data from the /proc filesystem.
82
83### Possible investigation steps
84
85- Review the alert details to identify the specific host.id where the suspicious activity was detected, focusing on the processes involved.
86- Examine the process execution history on the affected host to confirm the presence of the 'ps' and 'strings' commands executed in sequence, as indicated by the query.
87- Investigate the command-line arguments used with the 'ps' and 'strings' commands to determine if they match the suspicious patterns specified in the query, such as '-eo pid command' and '/tmp/*'.
88- Check for any recent modifications or suspicious files in the /tmp directory on the affected host, as this is a common location for temporary files used in attacks.
89- Analyze the system logs and any available network traffic data to identify potential lateral movement or data exfiltration attempts following the credential dumping activity.
90- Assess the system for any signs of compromise or additional malicious activity, such as unauthorized user accounts or unexpected network connections.
91- Consider isolating the affected host from the network to prevent further credential exposure and initiate a comprehensive forensic analysis to understand the full scope of the incident.
92
93### False positive analysis
94
95- System administrators or monitoring tools may use the 'ps' and 'strings' commands for legitimate system diagnostics and performance monitoring. To mitigate this, create exceptions for known administrative scripts or tools that regularly execute these commands.
96- Automated scripts for system health checks might trigger the rule if they use 'ps' and 'strings' to gather process information. Identify and whitelist these scripts by their specific command patterns or execution paths.
97- Security tools that perform regular scans or audits might mimic the behavior detected by the rule. Review and exclude these tools by their process names or execution context to prevent false alerts.
98- Developers or testers running debugging sessions may inadvertently trigger the rule when analyzing process memory. Establish a process to temporarily disable the rule or exclude specific user accounts during known testing periods.
99- Custom monitoring solutions that log process details for analysis could match the rule's criteria. Document and exclude these solutions by their unique execution characteristics or host identifiers.
100
101### Response and remediation
102
103- Immediately isolate the affected host from the network to prevent further credential exposure and potential lateral movement by the adversary.
104- Terminate any suspicious processes identified by the detection rule, specifically those involving the 'ps' and 'strings' commands with the specified arguments.
105- Conduct a thorough review of the affected system's process memory and logs to identify any additional unauthorized access or data exfiltration attempts.
106- Change passwords for all user accounts on the affected system, prioritizing those with elevated privileges, to mitigate the risk of credential misuse.
107- Apply patches and updates to address CVE-2018-20781 and any other known vulnerabilities on the affected system to prevent future exploitation.
108- Enhance monitoring and logging on the affected host and similar systems to detect any recurrence of the exploit or similar suspicious activities.
109- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network."""
110
111
112[[rule.threat]]
113framework = "MITRE ATT&CK"
114[[rule.threat.technique]]
115id = "T1003"
116name = "OS Credential Dumping"
117reference = "https://attack.mitre.org/techniques/T1003/"
118[[rule.threat.technique.subtechnique]]
119id = "T1003.007"
120name = "Proc Filesystem"
121reference = "https://attack.mitre.org/techniques/T1003/007/"
122
123
124[[rule.threat.technique]]
125id = "T1212"
126name = "Exploitation for Credential Access"
127reference = "https://attack.mitre.org/techniques/T1212/"
128
129
130[rule.threat.tactic]
131id = "TA0006"
132name = "Credential Access"
133reference = "https://attack.mitre.org/tactics/TA0006/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Potential Linux Credential Dumping via Proc Filesystem
The /proc filesystem in Linux provides a window into the system's processes, offering details like memory usage and command-line arguments. Adversaries exploit this by using tools like mimipenguin to extract plaintext credentials from memory, leveraging vulnerabilities such as CVE-2018-20781. The detection rule identifies suspicious sequences involving the 'ps' and 'strings' commands, which are indicative of attempts to access and parse sensitive data from the /proc filesystem.
Possible investigation steps
- Review the alert details to identify the specific host.id where the suspicious activity was detected, focusing on the processes involved.
- Examine the process execution history on the affected host to confirm the presence of the 'ps' and 'strings' commands executed in sequence, as indicated by the query.
- Investigate the command-line arguments used with the 'ps' and 'strings' commands to determine if they match the suspicious patterns specified in the query, such as '-eo pid command' and '/tmp/*'.
- Check for any recent modifications or suspicious files in the /tmp directory on the affected host, as this is a common location for temporary files used in attacks.
- Analyze the system logs and any available network traffic data to identify potential lateral movement or data exfiltration attempts following the credential dumping activity.
- Assess the system for any signs of compromise or additional malicious activity, such as unauthorized user accounts or unexpected network connections.
- Consider isolating the affected host from the network to prevent further credential exposure and initiate a comprehensive forensic analysis to understand the full scope of the incident.
False positive analysis
- System administrators or monitoring tools may use the 'ps' and 'strings' commands for legitimate system diagnostics and performance monitoring. To mitigate this, create exceptions for known administrative scripts or tools that regularly execute these commands.
- Automated scripts for system health checks might trigger the rule if they use 'ps' and 'strings' to gather process information. Identify and whitelist these scripts by their specific command patterns or execution paths.
- Security tools that perform regular scans or audits might mimic the behavior detected by the rule. Review and exclude these tools by their process names or execution context to prevent false alerts.
- Developers or testers running debugging sessions may inadvertently trigger the rule when analyzing process memory. Establish a process to temporarily disable the rule or exclude specific user accounts during known testing periods.
- Custom monitoring solutions that log process details for analysis could match the rule's criteria. Document and exclude these solutions by their unique execution characteristics or host identifiers.
Response and remediation
- Immediately isolate the affected host from the network to prevent further credential exposure and potential lateral movement by the adversary.
- Terminate any suspicious processes identified by the detection rule, specifically those involving the 'ps' and 'strings' commands with the specified arguments.
- Conduct a thorough review of the affected system's process memory and logs to identify any additional unauthorized access or data exfiltration attempts.
- Change passwords for all user accounts on the affected system, prioritizing those with elevated privileges, to mitigate the risk of credential misuse.
- Apply patches and updates to address CVE-2018-20781 and any other known vulnerabilities on the affected system to prevent future exploitation.
- Enhance monitoring and logging on the affected host and similar systems to detect any recurrence of the exploit or similar suspicious activities.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.
References
Related rules
- Cupsd or Foomatic-rip Shell Execution
- Linux Process Hooking via GDB
- Linux init (PID 1) Secret Dump via GDB
- Pluggable Authentication Module (PAM) Creation in Unusual Directory
- Pluggable Authentication Module (PAM) Version Discovery