exfil-pi

Exfiltrated Process Information

Information about processes can be useful to an attacker. For example, learning when processes start and stop, who is running which process, how long a process is running or how many resources a process is consuming be necessary to preform more complex attacks.

Attack Vector

These attacks most often arise when an attacker is sharing a system with a victim. There are several tools to monitor running processes that are useful for extracting this sort of information. On Unix, for example, command line utilites like ps, top, and pgrep can be used to monitor processes.

Impact

While this attack itself only amounts to limited metadata exfiltration, it can be useful in mounting more advanced attacks that rely on that metadata.

Defenses

Preventing process information from being leaked requires defenses at the operating system level. Different operating system implement these defenses differently but most OS's give users the option of running processes that are invisible to other users. See Other resources for more information.

Tips for Demonstration

To demonstrate this attack, show how to use a command line tool or script to capture information about a process. Show the captured information and motivate why that information could be useful.

Other resources

Defenses on Linux ps man pages

srowley1, wschor