Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Credential Access/ T1003.007

T1003.007Proc Filesystem

T1003.007 — Proc Filesystem is a MITRE ATT&CK technique in the Credential Access tactic. Clankerusecase tracks 7 detection use cases covering it and 7 threat-intel articles citing it.

Credential Access
View on the matrix → Filter Detection Library MITRE official spec ↗
7Use cases
7Articles
0Sub-techniques
1Tactic
↑ Parent technique: T1003 · OS Credential Dumping

Use cases covering this technique (7)

[LLM] Process reading /proc/<pid>/mem of GitHub Actions Runner.Worker (in-memory secret extraction) Bespoke actions · alerting DSΣPDDCS [LLM] GitHub Actions Runner.Worker process-memory secret scraping via /proc Bespoke actions · hunting DSΣPDDCS [LLM] python3 reading /proc/<PID>/mem to scrape Runner.Worker secrets Bespoke actions · alerting DSΣPDDCS [LLM] Read of /proc/<pid>/mem targeting GitHub Runner.Worker (TeamPCP credential dump) Bespoke actions · alerting DSΣPDD [LLM] GitHub Actions runner — process reads runner worker memory to extract GITHUB_TOKEN Bespoke actions · hunting DSΣPDDCS [LLM] Runner.Worker process memory dump via memdump.py on CI/CD runner (tj-actions credential theft) Bespoke actions · alerting DSΣPDDCS [LLM] Linux process opens /proc/<pid>/mem or /proc/<pid>/maps on a build/CI host (CVE-2025-8217 / CVE-2025-30066 memory dump TTP) Bespoke actions · alerting DSΣPDD

Articles citing this technique (7)

high Multiple redhat-cloud-services npm Packages compromised art-144
crit Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages art-267
med actions-cool/issues-helper GitHub Action Compromised: All Tags Point to Imposter Commit That Exfiltrates CI/CD Credentials art-268
crit Behind the Scenes: How StepSecurity Detected and Helped Remediate the Largest npm Supply Chain Attack art-400
high 10,000 Open-Source Projects Now Secured by Harden-Runner Community-Tier: A Milestone Three Years in the Making art-536
crit When 'Changed Files' Changed Everything: Our Black Hat 2025 Presentation on the tj-actions Supply Chain Breach art-815
crit Lessons from AWS CodeBuild’s Memory-Dump Incident (CVE-2025-8217) art-823