Description
Adversaries may abuse bind mounts on file structures to hide their activity and artifacts from native utilities. A bind mount maps a directory or file from one location on the filesystem to another, similar to a shortcut on Windows. It’s commonly used to provide access to specific files or directories across different environments, such as inside containers or chroot environments, and requires sudo access.
Adversaries may use bind mounts to map either an empty directory or a benign /proc directory to a malicious process’s /proc directory. Using the commands mount –o bind /proc/benign-process /proc/malicious-process (or mount –B), the malicious process's /proc directory is overlayed with the contents of a benign process's /proc directory. When system utilities query process activity, such as ps and top, the kernel follows the bind mount and presents the benign directory’s contents instead of the malicious process's actual /proc directory. As a result, these utilities display information that appears to come from the benign process, effectively hiding the malicious process's metadata, executable, or other artifacts from detection.(Citation: Cado Security Commando Cat 2024)(Citation: Ahn Lab CoinMiner 2023)
Platforms
References
- Ahn Lab. (2023, April 24). CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers. Retrieved April 4, 2025.
- Nate Bill & Matt Muir. (2024, February 1). The Nine Lives of Commando Cat: Analysing a Novel Malware Campaign Targeting Docker. Retrieved April 4, 2025.
Frequently Asked Questions
What is T1564.013 (Bind Mounts)?
T1564.013 is a MITRE ATT&CK technique named 'Bind Mounts'. It belongs to the Stealth tactic(s). Adversaries may abuse bind mounts on file structures to hide their activity and artifacts from native utilities. A bind mount maps a directory or file from one location on the filesystem to another, s...
How can T1564.013 be detected?
Detection of T1564.013 (Bind Mounts) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1564.013?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1564.013?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.