Potential Linux Credential Dumping via Proc Filesystemedit
Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Linux
- Use Case: Threat Detection
- Tactic: Credential Access
- Use Case: Vulnerability
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule queryedit
sequence by process.parent.name,host.name with maxspan=1m
[process where host.os.type == "linux" and process.name == "ps" and event.action == "exec"
and process.args in ("-eo", "pid", "command") ]
[process where host.os.type == "linux" and process.name == "strings" and event.action == "exec"
and process.args : "/tmp/*" ]
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: OS Credential Dumping
- ID: T1003
- Reference URL: https://attack.mitre.org/techniques/T1003/
-
Sub-technique:
- Name: Proc Filesystem
- ID: T1003.007
- Reference URL: https://attack.mitre.org/techniques/T1003/007/
-
Technique:
- Name: Exploitation for Credential Access
- ID: T1212
- Reference URL: https://attack.mitre.org/techniques/T1212/