Mount Execution With Hidepid Parameter
Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
Sigma rule (View on GitHub)
1title: Mount Execution With Hidepid Parameter
2id: ec52985a-d024-41e3-8ff6-14169039a0b3
3status: test
4description: Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
5references:
6 - https://blogs.blackberry.com/
7 - https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
8 - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
9author: Joseliyo Sanchez, @Joseliyo_Jstnk
10date: 2023-01-12
11tags:
12 - attack.credential-access
13 - attack.defense-evasion
14 - attack.t1564
15logsource:
16 product: linux
17 category: process_creation
18detection:
19 selection:
20 Image|endswith: '/mount'
21 CommandLine|contains|all:
22 - 'hidepid=2'
23 - ' -o '
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium
References
-
The latest news and articles about cybersecurity, critical event management, asset tracking, and secure Internet of Things including automotive from BlackBerry.
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Active Directory Certificate Services Denied Certificate Enrollment Request
- Renamed BrowserCore.EXE Execution
- CrashControl CrashDump Disabled
- Possible DC Shadow Attack
- CreateDump Process Dump