OS Credential Dumping: Proc Filesystem

Other sub-techniques of OS Credential Dumping (8)

ID	Name
ATAGS-T1121.001	/etc/passwd and /etc/shadow
ATAGS-T1121.002	Cached Domain Credentials
ATAGS-T1121.003	DCSync
ATAGS-T1121.004	LSA Secrets
ATAGS-T1121.005	LSASS Memory
ATAGS-T1121.006	NTDS
ATAGS-T1121.007	Proc Filesystem
ATAGS-T1121.008	Security Account Manager

Threat Actors may gather credentials from the proc filesystem or /proc. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the /proc//maps file shows how memory is mapped within the process’s virtual address space. And /proc//mem, exposed for debugging purposes, provides access to the process’s virtual address space.

ID: ATAGS-T1121.007

Sub-technique of: ATAGS-T1121

ⓘ

Tactic: Credential Access

ⓘ

Targeted Components: Mission, Personnel & Identity

ⓘ

Responsibility: Shared

Created: 18 April 2026

Last Modified: 18 April 2026

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.