T1564.013 Microsoft Sentinel · KQL

Detect Bind Mounts in Microsoft Sentinel

Adversaries may abuse bind mounts on Linux file structures to hide malicious process activity from native utilities such as ps, top, and /proc filesystem inspection. A bind mount maps a directory or file from one location to another using mount --bind, mount -B, or mount -o bind. By overlaying a benign process's /proc entry on top of a malicious process's /proc directory (e.g., mount --bind /proc/<benign_pid> /proc/<malicious_pid>), adversaries cause the kernel to present false process metadata to monitoring utilities. This technique requires root or sudo privileges and has been observed in active campaigns including Commando Cat (Docker container abuse) and cryptomining attacks documented by AhnLab.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1564 Hide Artifacts
Sub-technique
T1564.013 Bind Mounts
Canonical reference
https://attack.mitre.org/techniques/T1564/013/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// Primary: Detect mount --bind / -B targeting /proc paths via Microsoft Defender for Endpoint (Linux)
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where FileName == "mount"
| where ProcessCommandLine has_any ("--bind", "-o bind", "-obind")
       or (ProcessCommandLine has " -B " and ProcessCommandLine has "/proc/")
       or (ProcessCommandLine has "-B/" and ProcessCommandLine has "/proc/")
| where ProcessCommandLine contains "/proc/"
| extend BindMountType = case(
    ProcessCommandLine has "--bind", "long-form --bind",
    ProcessCommandLine has "-o bind", "option -o bind",
    ProcessCommandLine has "-obind", "compressed -obind",
    ProcessCommandLine has " -B ", "short-form -B",
    "unknown"
  )
| extend TargetProc = extract(@"(/proc/\d+)", 1, ProcessCommandLine)
| extend SourcePath = extract(@"mount[^/]+(/[^\s]+)\s+(/proc/\d+)", 1, ProcessCommandLine)
| extend IsEmptyDirMount = SourcePath !contains "/proc/" and isnotempty(TargetProc)
| extend IsProcOverProc = SourcePath contains "/proc/" and isnotempty(TargetProc)
| project TimeGenerated, DeviceName, AccountName, AccountDomain,
          ProcessCommandLine, InitiatingProcessFileName,
          InitiatingProcessCommandLine, InitiatingProcessAccountName,
          BindMountType, TargetProc, SourcePath, IsEmptyDirMount, IsProcOverProc
| sort by TimeGenerated desc
high severity high confidence

Detects bind mount operations targeting /proc process directories using Microsoft Defender for Endpoint (MDE) Linux telemetry. The query identifies three variants: --bind (long form), -B (short form), and -o bind (option form). Extracts the target /proc/<pid> path and source directory to distinguish between empty-directory overlays (hiding process entirely) and /proc-over-/proc swaps (substituting benign process metadata). Both patterns indicate process hiding activity consistent with T1564.013.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint (Linux)

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Container runtimes (Docker, containerd, podman) legitimately use bind mounts for volume mapping, though these typically target /var, /tmp, or application directories rather than /proc
  • System administrators or SREs using bind mounts during chroot or namespace operations for legitimate troubleshooting or environment setup
  • Configuration management tools (Ansible, Chef) mounting /proc inside test containers or build environments during CI/CD pipelines
  • Linux Live CD / forensic boot environments that bind-mount host /proc into investigation chroot environments
Download portable Sigma rule (.yml)

Other platforms for T1564.013

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Bind Mount Empty Directory Over Process /proc Entry

    Expected signal: auditd EXECVE: type=EXECVE msg=audit(...): argc=4 a0="mount" a1="--bind" a2="/tmp/empty_proc_decoy" a3="/proc/<pid>". auditd SYSCALL: syscall=mount uid=0 auid=<real_user_uid> exe=/usr/bin/mount comm=mount. Sysmon for Linux (if deployed): EventCode=1, Image=/usr/bin/mount, CommandLine='mount --bind /tmp/empty_proc_decoy /proc/<pid>'. DeviceProcessEvents: FileName=mount, ProcessCommandLine containing '--bind' and '/proc/<numeric_pid>'.

  2. Test 2Bind Mount Benign Process /proc Entry Over Malicious Process

    Expected signal: auditd EXECVE: a0=mount a1=--bind a2=/proc/<benign_pid> a3=/proc/<malicious_pid>. auditd SYSCALL: syscall=mount, uid=0, auid=<escalated_user_uid>. DeviceProcessEvents: ProcessCommandLine='mount --bind /proc/<benign_pid> /proc/<malicious_pid>', both paths matching /proc/\d+ pattern. Kernel audit trail will show two numeric /proc paths as arguments.

  3. Test 3Bind Mount Using -B Short Flag (Alternative Syntax)

    Expected signal: auditd EXECVE: a0=mount a1=-B a2=/tmp/df00tech_decoy a3=/proc/<pid>. Note: -B must be detected separately from --bind. DeviceProcessEvents: ProcessCommandLine containing ' -B ' with /proc/<pid>. Detection queries that only match on '--bind' will miss this variant — verify both patterns fire.

  4. Test 4Simulate Commando Cat Docker Container Bind Mount Pattern

    Expected signal: DeviceProcessEvents: FileName=mount, InitiatingProcessFileName=bash (inside container namespace), ProcessCommandLine='mount --bind /decoy /host_proc/<pid>'. Container runtime logs: docker run event with --privileged and --pid=host flags. auditd on host: SYSCALL mount from container namespace, uid=0, auid may be 4294967295 (unset) if running fully inside container — key differentiator for container-origin attacks. Docker events: `docker events --filter event=start` will show the container invocation.

Last updated: 2026-03-12 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1564.013 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1564Hide Artifacts

Related Sub-techniques

T1564.001Hidden Files and DirectoriesT1564.002Hidden UsersT1564.003Hidden WindowT1564.004NTFS File AttributesT1564.005Hidden File SystemT1564.006Run Virtual InstanceT1564.007VBA StompingT1564.008Email Hiding RulesT1564.009Resource ForkingT1564.010Process Argument SpoofingT1564.011Ignore Process InterruptsT1564.012File/Path ExclusionsT1564.014Extended Attributes

Related Techniques

T1564Hide ArtifactsT1564.001Hidden Files and DirectoriesT1610Deploy ContainerT1611Escape to HostT1496.001Compute HijackingT1059.004Unix ShellT1543.002Systemd ServiceT1070.003Clear Command HistoryT1055Process Injection

Same Tactic: Defense Evasion

Popular Detections