← Back to Explore
sigmamediumHunting
Mount Execution With Hidepid Parameter
Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
Detection Query
selection:
Image|endswith: /mount
CommandLine|contains|all:
- hidepid=2
- " -o "
condition: selection
Author
Joseliyo Sanchez, @Joseliyo_Jstnk
Created
2023-01-12
Data Sources
linuxProcess Creation Events
Platforms
linux
References
Tags
attack.credential-accessattack.defense-evasionattack.t1564
Raw Content
title: Mount Execution With Hidepid Parameter
id: ec52985a-d024-41e3-8ff6-14169039a0b3
status: test
description: Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
references:
- https://blogs.blackberry.com/
- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-12
tags:
- attack.credential-access
- attack.defense-evasion
- attack.t1564
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/mount'
CommandLine|contains|all:
- 'hidepid=2'
- ' -o '
condition: selection
falsepositives:
- Unknown
level: medium