Home · Live brief · Daily brief 2026-06-27
SANS ISC: Linux process-name masquerading via prctl(PR_SET_NAME) and how to detect it
Part of run 2026-06-27-40e791d4 (intel · Claude Opus 4.8)
A SANS Internet Storm Center diary (2026-06-24) documents how Linux malware masquerades its process name via prctl(PR_SET_NAME, …), which writes the 15-character comm field in /proc/<pid>/comm — letting a process running ./ps-masquerade appear in ps/top/pgrep as a kernel worker thread such as [kworker/0:1-events] (SANS ISC, 2026-06-24). The detection key is the divergence between /proc/<pid>/comm (mutable) and /proc/<pid>/cmdline (the original argv, which the kernel will not grow beyond its fixed allocation): a genuine kernel thread has an empty cmdline, so any process whose comm resembles [kworker/*]/[kthreadd] but whose cmdline is non-empty is a high-fidelity hunt artefact. The diary points to eBPF-based tooling (Kunai) that captures the real command line at exec time independently of later comm mutation, and cites Operation Highland (Velvet Ant, Sygnia) as a real-world user of the technique (T1036 Masquerading).
Why it matters to us: This is a free, immediately deployable hunt for any Linux fleet — and a useful complement to today's § 5 deep dive, where the same audit-blindness of in-memory tampering recurs.