Process hidden using mount
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect adversaries hiding malicious processes and obstructing system investigations.
Strategy
This detection monitors mount
events for files being mounted over the /proc
directory. Affected processes do not appear in the output of commands such as ps
and htop
. This technique requires root privileges.
Triage and response
- Use the process arguments to identify the source directory. Check for the directory in the content of
/proc/mounts
and /etc/mtab
. Note that /etc/mtab
may have been altered. - Identify the target PID from the process arguments. Do this for all events in the Events tab. Multiple processes may have been hidden.
- Restore visibility by removing the mount. This can be done by executing
umount /proc/PID
for each affected PID. - Investigate affected PIDs using related signals, system logs, or Live Processes.
- Follow your organization’s internal processes for investigating and remediating compromised systems.
Requires Agent version 7.42 or later.