SANS ISC: Linux process-name masquerading via `prctl(PR_SET_NAME)` and how to detect it [SINGLE-SOURCE]

A SANS Internet Storm Center diary (2026-06-24) documents how Linux malware masquerades its process name via prctl(PR_SET_NAME, …), which writes the 15-character comm field in /proc/<pid>/comm — letting a process running ./ps-masquerade appear in ps/top/pgrep as a kernel worker thread such as [kworker/0:1-events] (SANS ISC, 2026-06-24). The detection key is the divergence between /proc/<pid>/comm (mutable) and /proc/<pid>/cmdline (the original argv, which the kernel will not grow beyond its fixed allocation): a genuine kernel thread has an empty cmdline, so any process whose comm resembles [kworker/*]/[kthreadd] but whose cmdline is non-empty is a high-fidelity hunt artefact. The diary points to eBPF-based tooling (Kunai) that captures the real command line at exec time independently of later comm mutation, and cites Operation Highland (Velvet Ant, Sygnia) as a real-world user of the technique (T1036 Masquerading). Why it matters to us: This is a free, immediately deployable hunt for any Linux fleet — and a useful complement to today's § 5 deep dive, where the same audit-blindness of in-memory tampering recurs.