Potential Linux Credential Dumping via Proc Filesystem

edit

Potential Linux Credential Dumping via Proc Filesystem

edit

Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Credential Access
  • Use Case: Vulnerability
  • Data Source: Elastic Defend

Version: 3

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
sequence by process.parent.name,host.name with maxspan=1m
[process where host.os.type == "linux" and process.name == "ps" and event.action == "exec"
 and process.args in ("-eo", "pid", "command") ]

[process where host.os.type == "linux" and process.name == "strings" and event.action == "exec"
 and process.args : "/tmp/*" ]

Framework: MITRE ATT&CKTM