Hide Artifacts: Bind Mounts

Other sub-techniques of Hide Artifacts (14)

ID	Name
T1564.001	Hidden Files and Directories
T1564.002	Hidden Users
T1564.003	Hidden Window
T1564.004	NTFS File Attributes
T1564.005	Hidden File System
T1564.006	Run Virtual Instance
T1564.007	VBA Stomping
T1564.008	Email Hiding Rules
T1564.009	Resource Forking
T1564.010	Process Argument Spoofing
T1564.011	Ignore Process Interrupts
T1564.012	File/Path Exclusions
T1564.013	Bind Mounts
T1564.014	Extended Attributes

Adversaries may abuse bind mounts on file structures to hide their activity and artifacts from native utilities. A bind mount maps a directory or file from one location on the filesystem to another, similar to a shortcut on Windows. It’s commonly used to provide access to specific files or directories across different environments, such as inside containers or chroot environments, and requires sudo access.

Adversaries may use bind mounts to map either an empty directory or a benign /proc directory to a malicious process’s /proc directory. Using the commands mount –o bind /proc/benign-process /proc/malicious-process (or mount –B), the malicious process's /proc directory is overlayed with the contents of a benign process's /proc directory. When system utilities query process activity, such as ps and top, the kernel follows the bind mount and presents the benign directory’s contents instead of the malicious process's actual /proc directory. As a result, these utilities display information that appears to come from the benign process, effectively hiding the malicious process's metadata, executable, or other artifacts from detection.^[1]^[2]

ID: T1564.013

Sub-technique of: T1564

ⓘ

Tactic: Defense Evasion

ⓘ

Platforms: Linux

Contributors: Lê Phương Nam, Group-IB

Version: 1.0

Created: 30 January 2025

Last Modified: 15 April 2025

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
C0035	KV Botnet Activity	KV Botnet Activity leveraged a bind mount to bind itself to the `/proc/` file path before deleting its files from the `/tmp/` directory.^[3]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects

ID	Data Source	Data Component	Detects
DS0017	Command	Command Execution	Configure auditd rules to monitor use of the `/bin/mount` command, especially with relation to the `/proc` directory. Analytic 1 - Use of Mount with bind arguments targeting /proc/ paths index=linux_logs source="/var/log/audit/audit.log"\| eval syscall=coalesce(syscall, "unknown"), exe=coalesce(exe, "unknown")\| search syscall="mount" exe="/bin/mount" (msg="bind" OR msg="bind,rw")\| rex field=msg "a0=\"(?[^\"]+)\" a1=\"(?[^\"]+)\""\| where like(source_path, "/proc/%") AND like(target_path, "/proc/%")\| eval is_suspicious=if(match(target_path, "/proc/[1-9][0-9]*") AND NOT cidrmatch(source_path, target_path), 1, 0)\| stats count by exe, source_path, target_path, uid, pid, is_suspicious\| where is_suspicious=1
DS0022	File	File Creation	Monitor for the creation of PID directories under `/proc` with unusual characteristics. For example, these directories should typically be read-only; the creation of a directory with write permissions may indicate unusual activity.^[4]
DS0009	Process	OS API Execution	Configure auditd rules to monitor use of the `mount` system call, especially with respect to the `/proc` directory. Bind mount activity invokes `mount()` with the `MS_BIND` flag. Analytic 1 - Using eBPF or sys call logging `index=syscalls source="/var/log/audit/audit.log"\| search syscall="mount"\| regex args=".bind."\| eval suspicious=if(like(args, "%/proc/%") AND like(args, "%bind%"), 1, 0)\| stats count by pid, exe, args, uid, suspicious\| where suspicious=1`

DS0017

Command

Command Execution

Configure auditd rules to monitor use of the /bin/mount command, especially with relation to the /proc directory.

Analytic 1 - Use of Mount with bind arguments targeting /proc/ paths

index=linux_logs source="/var/log/audit/audit.log"| eval syscall=coalesce(syscall, "unknown"), exe=coalesce(exe, "unknown")| search syscall="mount" exe="/bin/mount" (msg="bind" OR msg="bind,rw")| rex field=msg "a0=\"(?[^\"]+)\" a1=\"(?[^\"]+)\""| where like(source_path, "/proc/%") AND like(target_path, "/proc/%")| eval is_suspicious=if(match(target_path, "/proc/[1-9][0-9]*") AND NOT cidrmatch(source_path, target_path), 1, 0)| stats count by exe, source_path, target_path, uid, pid, is_suspicious| where is_suspicious=1

DS0022

File

File Creation

Monitor for the creation of PID directories under /proc with unusual characteristics. For example, these directories should typically be read-only; the creation of a directory with write permissions may indicate unusual activity.^[4]

DS0009

Process

OS API Execution

Configure auditd rules to monitor use of the mount system call, especially with respect to the /proc directory. Bind mount activity invokes mount() with the MS_BIND flag.

Analytic 1 - Using eBPF or sys call logging

Hide Artifacts: Bind Mounts

Other sub-techniques of Hide Artifacts (14)

Procedure Examples

Mitigations

Detection

References