Process hidden using mount
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
What happened
The mount command was used to overwrite procfs data, hiding a process from commands such as ps.
Goal
Detect adversaries hiding malicious processes and obstructing system investigations.
Strategy
This detection monitors mount events for files being mounted over the /proc directory. Affected processes do not appear in the output of commands such as ps and htop. This technique requires root privileges.
Triage and response
- Use the process arguments to identify the source directory. Check for the directory in the content of
/proc/mounts and /etc/mtab. Note that /etc/mtab may have been altered. - Identify the target PID from the process arguments. Do this for all events in the Events tab. Multiple processes may have been hidden.
- Restore visibility by removing the mount. This can be done by executing
umount /proc/PID for each affected PID. - Investigate affected PIDs using related signals, system logs, or Live Processes.
- Follow your organization’s internal processes for investigating and remediating compromised systems.
Requires Agent version 7.42 or later.
