Skip to content

DET0428 Detection Strategy for Bind Mounts on Linux

Item Value
ID DET0428
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1564.013 (Bind Mounts)

Analytics

Linux

AN1196

Abuse of bind mounts to obscure process directories. Defender perspective: detecting anomalous mount operations where a process’s /proc entry is remapped to another directory, often hiding malicious activity from native utilities (ps, top). Behavior chain includes: (1) execution of mount with -o bind or -B flags, (2) modification of /proc entries inconsistent with expected process lineage, and (3) subsequent anomalous activity from processes whose metadata no longer matches execution context.

Log Sources
Data Component Name Channel
OS API Execution (DC0021) auditd:SYSCALL mount system call with bind or remap flags
File Creation (DC0039) auditd:PATH mount target path within /proc/*
Process Metadata (DC0034) linux:osquery process metadata mismatch between /proc and runtime attributes
Mutable Elements
Field Description
BindMountFlags Flags or options used in mount commands (e.g., -o bind, -B). Can vary across distributions and kernels.
WatchedProcPaths List of /proc paths to monitor. Tunable to reduce noise from benign bind mounts used in containers or chroot environments.
CorrelationWindow Timeframe to correlate bind mount creation with anomalous process or file activity.