title: Bind Mounts (T1564.013)
id: df00tech-t1564-013
status: experimental
description: "Adversaries may abuse bind mounts on Linux file structures to hide malicious process activity from native utilities such as ps, top, and /proc filesystem inspection. A bind mount maps a directory or file from one location to another using mount --bind, mount -B, or mount -o bind. By overlaying a benign process's /proc entry on top of a malicious process's /proc directory (e.g., mount --bind /proc/<benign_pid> /proc/<malicious_pid>), adversaries cause the kernel to present false process metadata to monitoring utilities. This technique requires root or sudo privileges and has been observed in active campaigns including Commando Cat (Docker container abuse) and cryptomining attacks documented by AhnLab."
references:
  - https://attack.mitre.org/techniques/T1564/013/
  - https://df00tech.com/detections/T1564.013
author: df00tech
date: 2026/03/12
tags:
  - attack.t1564.013
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Container runtimes (Docker, containerd, podman) legitimately use bind mounts for volume mapping, though these typically target /var, /tmp, or application directories rather than /proc"
  - System administrators or SREs using bind mounts during chroot or namespace operations for legitimate troubleshooting or environment setup
  - "Configuration management tools (Ansible, Chef) mounting /proc inside test containers or build environments during CI/CD pipelines"
  - Linux Live CD / forensic boot environments that bind-mount host /proc into investigation chroot environments
level: high