Mount Execution With Hidepid Parameter

 1title: Mount Execution With Hidepid Parameter
 2id: ec52985a-d024-41e3-8ff6-14169039a0b3
 3status: test
 4description: Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
 5references:
 6    - https://blogs.blackberry.com/
 7    - https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
 8    - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
 9author: Joseliyo Sanchez, @Joseliyo_Jstnk
10date: 2023-01-12
11tags:
12    - attack.credential-access
13    - attack.t1564
14logsource:
15    product: linux
16    category: process_creation
17detection:
18    selection:
19        Image|endswith: '/mount'
20        CommandLine|contains|all:
21            - 'hidepid=2'
22            - ' -o '
23    condition: selection
24falsepositives:
25    - Unknown
26level: medium

References

• BlackBerry Blog

  The latest news and articles about cybersecurity, critical event management, asset tracking, and secure Internet of Things including automotive from BlackBerry.

  
  Read More

• https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/

  
  Read More

• x.com

  
  Read More

Related rules

• AADInternals PowerShell Cmdlets Execution - ProccessCreation
• AADInternals PowerShell Cmdlets Execution - PsScript
• ADCS Certificate Template Configuration Vulnerability
• ADCS Certificate Template Configuration Vulnerability with Risky EKU
• APT31 Judgement Panda Activity