Potential Hidden Process via Mount Hidepid

calendar Sep 5, 2023 · Domain: Endpoint OS: Linux Use Case: Threat Detection Tactic: Defense Evasion Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/04/11"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/08/24"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of mount process with hidepid parameter, which can make processes invisible to
13other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide
14the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user
15can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for
16the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more.
17With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option,
18which can now be monitored and detected.
19"""
20from = "now-9m"
21index = ["logs-endpoint.events.*"]
22language = "eql"
23license = "Elastic License v2"
24name = "Potential Hidden Process via Mount Hidepid"
25references = [
26    "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/",
27]
28risk_score = 47
29rule_id = "dc71c186-9fe4-4437-a4d0-85ebb32b8204"
30severity = "medium"
31tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
32timestamp_override = "event.ingested"
33type = "eql"
34query = '''
35process where host.os.type == "linux" and process.name == "mount" and event.action == "exec" and
36process.args == "/proc" and process.args == "-o" and process.args : "*hidepid=2*"
37'''
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41
42[[rule.threat.technique]]
43id = "T1564"
44name = "Hide Artifacts"
45reference = "https://attack.mitre.org/techniques/T1564/"
46
47[rule.threat.tactic]
48id = "TA0005"
49name = "Defense Evasion"
50reference = "https://attack.mitre.org/tactics/TA0005/"

References

Related rules

to-top