---
title: Process hidden using mount
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Process hidden using mount
---

# Process hidden using mount
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1564-hide-artifacts](https://attack.mitre.org/techniques/T1564) 
**Deprecation Notice (May 15, 2026):** This rule is deprecated in favor of the [Container escape attack](https://docs.datadoghq.com/security/default_rules/def-000-f39.md) correlation rule, which combines multiple container escape signals into a single, higher-fidelity detection. Customers will automatically benefit from the improved correlation-based detection without any action required.

## What happened{% #what-happened %}

The `mount` command was used to overwrite procfs data, hiding a process from commands such as `ps`.

## Goal{% #goal %}

Detect adversaries hiding malicious processes and obstructing system investigations.

## Strategy{% #strategy %}

This detection monitors `mount` events for files being mounted over the `/proc` directory. Affected processes do not appear in the output of commands such as `ps` and `htop`. This technique requires root privileges.

## Triage and response{% #triage-and-response %}

1. Use the process arguments to identify the source directory. Check for the directory in the content of `/proc/mounts` and `/etc/mtab`. Note that `/etc/mtab` may have been altered.
1. Identify the target PID from the process arguments. Do this for all events in the Events tab. Multiple processes may have been hidden.
1. Restore visibility by removing the mount. This can be done by executing `umount /proc/PID` for each affected PID.
1. Investigate affected PIDs using related signals, system logs, or [Live Processes](https://docs.datadoghq.com/infrastructure/process.md).
1. Follow your organization's internal processes for investigating and remediating compromised systems.

*Requires Agent version 7.42 or later.*