Linux Process Name Masquerading PoC Bypasses /proc Visibility

A SANS Internet Storm Center researcher has released a proof-of-concept (PoC) demonstrating a Linux process-name masquerading technique that bypasses both /proc/<pid>/comm and /proc/<pid>/cmdline visibility. The technique, matching MITRE ATT&CK T1036, has been observed in campaigns by the Velvet Ant Chinese group, according to the researcher.

The PoC uses the prctl(PR_SET_NAME) system call to spoof the process name in /proc/<pid>/comm, which is what default ps and top commands display. However, altering /proc/<pid>/cmdline—used by ps aux and pgrep -f—is more challenging because argv[0] is a fixed-size buffer that the kernel reports from the original memory region. To bypass this, the researcher's code overwrites the contiguous argv[1..n] and environ memory region, effectively changing what ps aux reads.

The PoC compiles into a binary that, when run, appears as a kernel worker thread like [kworker/0:1-events] in process listings. The researcher demonstrated that standard tools like ps, top, and htop show the spoofed name, while eBPF-based tools like Kunai can detect the discrepancy by capturing the real command line but failing to find the exec name. This provides a detection opportunity for security analysts.

The technique is not limited to Linux. On Windows, process names stored in the Process Environment Block (PEB) can be modified from user mode, affecting Task Manager and WMI. However, kernel-mode structures like EPROCESS's ImageFileName are populated from the mapped image and cannot be rewritten from user mode, offering a more reliable detection source.

This research highlights the limitations of relying solely on process-name visibility for detection. Security teams should augment monitoring with eBPF-based tools, kernel-level auditing, or endpoint detection and response (EDR) solutions that inspect process creation events rather than runtime process names. The full PoC code and details are available in the SANS diary.