Process hidden using mount

Goal

Detect adversaries hiding malicious processes and obstructing system investigations.

Strategy

This detection monitors mount events for files being mounted over the /proc directory. Affected processes do not appear in the output of commands such as ps and htop. This technique requires root privileges.

Triage and response

  1. Use the process arguments to identify the source directory. Check for the directory in the content of /proc/mounts and /etc/mtab. Note that /etc/mtab may have been altered.
  2. Identify the target PID from the process arguments. Do this for all events in the Events tab. Multiple processes may have been hidden.
  3. Restore visibility by removing the mount. This can be done by executing umount /proc/PID for each affected PID.
  4. Investigate affected PIDs using related signals, system logs, or Live Processes.
  5. Follow your organization’s internal processes for investigating and remediating compromised systems.

Requires Agent version 7.42 or later.