defense_evasion_mount_execution.toml

[metadata]
creation_date = "2023/04/11"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/04/11"

[rule]
author = ["Elastic"]
description = """
Identifies the execution of mount process with hidepid parameter, which can make processes invisible to
other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide
the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user
can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for
the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more.
With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option,
which can now be monitored and detected.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Hidden Process via Mount Hidepid"
references = [
    "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/",
]
risk_score = 47
rule_id = "dc71c186-9fe4-4437-a4d0-85ebb32b8204"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where process.name=="mount" and event.action =="exec" and
    process.args: ( "/proc") and process.args: ("-o") and process.args:("*hidepid=2*") and
    host.os.type == "linux"
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1564"
name = "Hide Artifacts"
reference = "https://attack.mitre.org/techniques/T1564/"


[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"