234. That's How MountBot Hides Its Processes

Hello everyone!

Adversaries always want to hide their malicious activities. Some hiding techniques are common, while others are not. Let's look at one of them - Hide Artifacts: Bind Mounts (T1564.013).

According to this report, MountBot has the following code:

mount('/proc/1', '/proc/self', 0, MS_BIND, 0);

And this is an example how adversaries abuse bind mounts on file structures to hide their activity!

Of course, we can hunt for suspicious executions of mount:

event_type: "processcreatenix"

AND

proc_file_path: "mount"

AND

cmdline: ("bind" AND "proc")

See you tomorrow!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

013. It Can Remove Rootkits. And Your EDR!