Abuse of bind mounts to obscure process directories. Defender perspective: detecting anomalous mount operations where a process’s /proc entry is remapped to another directory, often hiding malicious activity from native utilities (ps, top). Behavior chain includes: (1) execution of mount with -o bind or -B flags, (2) modification of /proc entries inconsistent with expected process lineage, and (3) subsequent anomalous activity from processes whose metadata no longer matches execution context.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | auditd:SYSCALL | mount system call with bind or remap flags |
| File Creation (DC0039) | auditd:PATH | mount target path within /proc/* |
| Process Metadata (DC0034) | linux:osquery | process metadata mismatch between /proc and runtime attributes |
| Field | Description |
|---|---|
| BindMountFlags | Flags or options used in mount commands (e.g., -o bind, -B). Can vary across distributions and kernels. |
| WatchedProcPaths | List of /proc paths to monitor. Tunable to reduce noise from benign bind mounts used in containers or chroot environments. |
| CorrelationWindow | Timeframe to correlate bind mount creation with anomalous process or file activity. |