Adversaries may use the hidepid parameter in mount execution to obscure process visibility and evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence or evasion tactics associated with advanced threats.
Detection Rule
title: Mount Execution With Hidepid Parameter
id: ec52985a-d024-41e3-8ff6-14169039a0b3
status: test
description: Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
references:
- https://blogs.blackberry.com/
- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-12
tags:
- attack.credential-access
- attack.defense-evasion
- attack.t1564
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/mount'
CommandLine|contains|all:
- 'hidepid=2'
- ' -o '
condition: selection
falsepositives:
- Unknown
level: medium
imProcessCreate
| where TargetProcessName endswith "/mount" and (TargetProcessCommandLine contains "hidepid=2" and TargetProcessCommandLine contains " -o ")Scenario: Systemd Unit File Reload
Description: A system administrator reloads a systemd unit file using systemctl daemon-reload, which may trigger the rule due to the mount command being executed with the hidepid parameter.
Filter/Exclusion: Check for the presence of systemctl in the command line or filter by process.parent_process_name = "systemd".
Scenario: Regular System Maintenance Task
Description: A scheduled job (e.g., via cron or systemd-timer) runs a maintenance script that mounts a filesystem with hidepid=2 for user isolation.
Filter/Exclusion: Filter by process.parent_process_name = "cron" or process.parent_process_name = "systemd-timer".
Scenario: Docker Volume Mount with Hidepid
Description: A Docker container mounts a volume with hidepid=2 to isolate user access, which may be flagged by the rule.
Filter/Exclusion: Filter by process.parent_process_name = "docker" or check for docker in the command line.
Scenario: User-Specific Mount for Home Directory Isolation
Description: An admin mounts a user’s home directory with hidepid=2 to prevent other users from seeing the user’s processes.
Filter/Exclusion: Filter by process.parent_process_name = "mount" or check for hidepid=2 in the mount options and validate against known user mounts.
Scenario: Automated Backup Tool with Custom Mount Options
Description: A backup tool (e.g., rsnapshot, borgbackup) mounts a temporary filesystem with hidepid=2 for secure temporary storage.
Filter/Exclusion: Filter by process.parent_process_name = "rsnapshot" or `process