Process hidden using mount

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1564-hide-artifacts

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect adversaries hiding malicious processes and obstructing system investigations.

Strategy

This detection monitors mount events for files being mounted over the /proc directory. Affected processes do not appear in the output of commands such as ps and htop. This technique requires root privileges.

Triage and response

  1. Use the process arguments to identify the source directory. Check for the directory in the content of /proc/mounts and /etc/mtab. Note that /etc/mtab may have been altered.
  2. Identify the target PID from the process arguments. Do this for all events in the Events tab. Multiple processes may have been hidden.
  3. Restore visibility by removing the mount. This can be done by executing umount /proc/PID for each affected PID.
  4. Investigate affected PIDs using related signals, system logs, or Live Processes.
  5. Follow your organization’s internal processes for investigating and remediating compromised systems.

Requires Agent version 7.42 or later.