Potential Linux Credential Dumping via Proc Filesystem
Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/04/26"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/04/26"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz.
13Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits
14a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by
15dumping the process and extracting lines that have a high probability of containing cleartext passwords.
16"""
17from = "now-9m"
18index = ["logs-endpoint.events.*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Potential Linux Credential Dumping via Proc Filesystem"
22references = [
23 "https://github.com/huntergregal/mimipenguin",
24 "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781"
25]
26risk_score = 47
27rule_id = "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311"
28severity = "medium"
29tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
30type = "eql"
31query = '''
32sequence by process.parent.name,host.name with maxspan=1m
33[process where host.os.type == "linux" and process.name == "ps" and event.action == "exec"
34 and process.args in ("-eo", "pid", "command") ]
35
36[process where host.os.type == "linux" and process.name == "strings" and event.action == "exec"
37 and process.args : "/tmp/*" ]
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1003"
45name = "OS Credential Dumping"
46reference = "https://attack.mitre.org/techniques/T1003/"
47[[rule.threat.technique.subtechnique]]
48id = "T1003.007"
49name = "Proc Filesystem"
50reference = "https://attack.mitre.org/techniques/T1003/007/"
51
52[[rule.threat.technique]]
53id = "T1212"
54name = "Exploitation for Credential Access"
55reference = "https://attack.mitre.org/techniques/T1212/"
56
57
58
59[rule.threat.tactic]
60id = "TA0006"
61name = "Credential Access"
62reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
A tool to dump the login password from the current linux user - GitHub - huntergregal/mimipenguin: A tool to dump the login password from the current linux user
Read More -
The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
Read More
Related rules
- Modification of OpenSSH Binaries
- Modification of Standard Authentication Module or Configuration
- Potential Cookies Theft via Browser Debugging
- Potential JAVA/JNDI Exploitation Attempt
- Potential Linux Credential Dumping via Unshadow