T1564.013 Bind Mounts Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Primary: Detect mount --bind / -B targeting /proc paths via Microsoft Defender for Endpoint (Linux)
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where FileName == "mount"
| where ProcessCommandLine has_any ("--bind", "-o bind", "-obind")
       or (ProcessCommandLine has " -B " and ProcessCommandLine has "/proc/")
       or (ProcessCommandLine has "-B/" and ProcessCommandLine has "/proc/")
| where ProcessCommandLine contains "/proc/"
| extend BindMountType = case(
    ProcessCommandLine has "--bind", "long-form --bind",
    ProcessCommandLine has "-o bind", "option -o bind",
    ProcessCommandLine has "-obind", "compressed -obind",
    ProcessCommandLine has " -B ", "short-form -B",
    "unknown"
  )
| extend TargetProc = extract(@"(/proc/\d+)", 1, ProcessCommandLine)
| extend SourcePath = extract(@"mount[^/]+(/[^\s]+)\s+(/proc/\d+)", 1, ProcessCommandLine)
| extend IsEmptyDirMount = SourcePath !contains "/proc/" and isnotempty(TargetProc)
| extend IsProcOverProc = SourcePath contains "/proc/" and isnotempty(TargetProc)
| project TimeGenerated, DeviceName, AccountName, AccountDomain,
          ProcessCommandLine, InitiatingProcessFileName,
          InitiatingProcessCommandLine, InitiatingProcessAccountName,
          BindMountType, TargetProc, SourcePath, IsEmptyDirMount, IsProcOverProc
| sort by TimeGenerated desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint (Linux)

Required Tables

DeviceProcessEvents

False Positives

Container runtimes (Docker, containerd, podman) legitimately use bind mounts for volume mapping, though these typically target /var, /tmp, or application directories rather than /proc
System administrators or SREs using bind mounts during chroot or namespace operations for legitimate troubleshooting or environment setup
Configuration management tools (Ansible, Chef) mounting /proc inside test containers or build environments during CI/CD pipelines
Linux Live CD / forensic boot environments that bind-mount host /proc into investigation chroot environments

Splunk

spl

index=linux sourcetype="linux:audit"
| eval a0=coalesce(a0,""), a1=coalesce(a1,""), a2=coalesce(a2,""), a3=coalesce(a3,""), a4=coalesce(a4,"")
| eval cmdline=a0." ".a1." ".a2." ".a3." ".a4
| eval bind_flag=case(
    a1="--bind", 1,
    a1="-B",     1,
    (a1="-o" AND a2="bind"), 1,
    a1="-obind", 1,
    match(cmdline, "(--bind|-obind)"), 1,
    1=1, 0
  )
| eval proc_target=if(match(cmdline, "/proc/\d+"), 1, 0)
| where type="EXECVE" AND a0="mount" AND bind_flag=1 AND proc_target=1
| eval target_pid=replace(replace(cmdline, ".*(/proc/\d+).*", "\1"), ".*(\d+).*", "\1")
| eval source_path=replace(cmdline, "mount[^/]*(/[^\s]+)\s+/proc.*", "\1")
| eval is_empty_dir_mount=if(NOT match(source_path, "/proc/"), 1, 0)
| eval is_proc_over_proc=if(match(source_path, "/proc/\d+"), 1, 0)
| join type=left pid [
    search index=linux sourcetype="linux:audit" type=SYSCALL
    | table pid, uid, auid, exe, comm, key, ppid
  ]
| table _time, host, pid, ppid, uid, auid, exe, comm, cmdline, source_path, target_pid, is_empty_dir_mount, is_proc_over_proc, key
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Linux auditd EXECVE Linux auditd SYSCALL

Required Sourcetypes

linux:audit

False Positives

Container runtimes invoking bind mounts for volume mapping — filter by comm!="containerd" AND comm!="dockerd" AND comm!="runc"
System initialization scripts during boot that set up namespace mounts in /proc — filter by auid=4294967295 (unset AUID) if baseline confirms this
Kubernetes node agents (kubelet) performing bind mounts for pod volume provisioning
Legitimate chroot setup scripts used by hosting providers or jail environments

Elastic Security (EQL)

eql

process where event.type == "start" and
  process.name == "mount" and
  (
    (process.args : ("--bind","-o bind","-obind") and
     process.args : ("/proc*","/sys*","/dev*")) or
    (process.args : ("-B") and
     process.args_count >= 3)
  )

high severity high confidence

Data Sources

Linux Process Events

Required Tables

logs-endpoint.events.process-*

False Positives

Container runtimes (Docker, containerd, podman) legitimately use bind mounts for volume mapping, though these typically target /var, /tmp, or application directories rather than /proc
System administrators or SREs using bind mounts during chroot or namespace operations for legitimate troubleshooting or environment setup
Configuration management tools (Ansible, Chef) mounting /proc inside test containers or build environments during CI/CD pipelines
Linux Live CD / forensic boot environments that bind-mount host /proc into investigation chroot environments

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "Image" as ProcessImage, "CommandLine" as CommandLine, "ParentImage" as ParentProcess,
  CASE WHEN "CommandLine" ILIKE '%/proc%' AND "CommandLine" ILIKE '%bind%' THEN 10
       WHEN "CommandLine" ILIKE '%-B %/proc%' THEN 10
       WHEN "CommandLine" ILIKE '%/sys%' AND "CommandLine" ILIKE '%bind%' THEN 8
       ELSE 6 END as RiskScore
FROM events
WHERE eventid = 1
  AND "Image" ILIKE '%/mount%'
  AND (
    ("CommandLine" ILIKE '%-o bind%' OR "CommandLine" ILIKE '%-obind%' OR "CommandLine" ILIKE '%--bind%')
    OR "CommandLine" ILIKE '% -B %'
  )
  AND ("CommandLine" ILIKE '%/proc%' OR "CommandLine" ILIKE '%/sys%' OR "CommandLine" ILIKE '%/dev%')
ORDER BY RiskScore DESC, EventTime DESC

high severity high confidence

Data Sources

Sysmon for Linux Linux Audit

Required Tables

events

False Positives

Container runtimes (Docker, containerd, podman) legitimately use bind mounts for volume mapping, though these typically target /var, /tmp, or application directories rather than /proc
System administrators or SREs using bind mounts during chroot or namespace operations for legitimate troubleshooting or environment setup
Configuration management tools (Ansible, Chef) mounting /proc inside test containers or build environments during CI/CD pipelines
Linux Live CD / forensic boot environments that bind-mount host /proc into investigation chroot environments

Sumo Logic CSE

sql

_sourceCategory=linux/sysmon OR _sourceCategory=linux/audit
| json auto
| where EventID == "1"
| eval ImageLower = toLower(coalesce(Image,""))
| eval CmdLower = toLower(coalesce(CommandLine,""))
| where ImageLower matches ".*/mount$"
| eval is_bind = if(CmdLower matches ".*(--bind|-o bind|-obind|-B ).*", 1, 0)
| eval targets_proc = if(CmdLower matches ".*/proc.*", 1, 0)
| eval targets_sys = if(CmdLower matches ".*/sys.*", 1, 0)
| where is_bind == 1 AND (targets_proc == 1 OR targets_sys == 1)
| eval risk = if(targets_proc == 1, "critical", "high")
| table _time, Computer, User, Image, CommandLine, ParentImage, risk
| sort by _time desc

high severity high confidence

Data Sources

Sysmon for Linux via Sumo Logic Linux Audit via Sumo Logic

Required Tables

linux/sysmon linux/audit

False Positives

Container runtimes (Docker, containerd, podman) legitimately use bind mounts for volume mapping, though these typically target /var, /tmp, or application directories rather than /proc
System administrators or SREs using bind mounts during chroot or namespace operations for legitimate troubleshooting or environment setup
Configuration management tools (Ansible, Chef) mounting /proc inside test containers or build environments during CI/CD pipelines
Linux Live CD / forensic boot environments that bind-mount host /proc into investigation chroot environments

Google Chronicle / SecOps

yaral

rule linux_bind_mount_proc_hiding {
  meta:
    author = "Detection Engineering"
    description = "Detects Linux bind mount targeting /proc for process hiding (T1564.013)"
    severity = "HIGH"
    tactic = "TA0005"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.target.process.file.full_path, `/mount$`) nocase
    re.regex($e.target.process.command_line, `(--bind|-o\s+bind|-obind|-B\s)`) nocase
    re.regex($e.target.process.command_line, `/proc|/sys|/dev`) nocase

  condition:
    $e
}

high severity high confidence

Data Sources

Linux Process Events via Chronicle UDM

Required Tables

PROCESS_LAUNCH

False Positives

Container runtimes (Docker, containerd, podman) legitimately use bind mounts for volume mapping, though these typically target /var, /tmp, or application directories rather than /proc
System administrators or SREs using bind mounts during chroot or namespace operations for legitimate troubleshooting or environment setup
Configuration management tools (Ansible, Chef) mounting /proc inside test containers or build environments during CI/CD pipelines
Linux Live CD / forensic boot environments that bind-mount host /proc into investigation chroot environments

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| PlatformType = "9"
| ImageFileName = /\/mount$/
| CommandLine = /(--bind|-o\s*bind|-obind|-B\s)/i
| CommandLine = /(\/proc|\/sys|\/dev)/i
| eval risk = case {
    CommandLine = /\/proc/i : "critical";
    CommandLine = /\/sys/i : "high";
    * : "medium"
  }
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, risk
| sort by timestamp desc

high severity high confidence

Data Sources

CrowdStrike Falcon Process Events (Linux)

Required Tables

ProcessRollup2

False Positives

Container runtimes (Docker, containerd, podman) legitimately use bind mounts for volume mapping, though these typically target /var, /tmp, or application directories rather than /proc
System administrators or SREs using bind mounts during chroot or namespace operations for legitimate troubleshooting or environment setup
Configuration management tools (Ansible, Chef) mounting /proc inside test containers or build environments during CI/CD pipelines
Linux Live CD / forensic boot environments that bind-mount host /proc into investigation chroot environments

Bind Mounts

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections