You can spoof both /proc/pid/comm and /proc/pid/cmdline on Linux with a single C program, and neither ps nor top will catch it. Xavier Mertens, a SANS ISC handler and SEC670 instructor, published a proof-of-concept that makes a process look like a kernel worker thread. The technique maps directly to MITRE ATT&CK T1036 (Masquerading) and has been used by groups like Velvet Ant to hide in plain sight.
How /proc/pid/comm and /proc/pid/cmdline Lie Linux stores process names in two places inside /proc/pid/. The file 'comm' holds up to 15 characters and is what 'ps' and 'top' show by default. The file 'cmdline' contains the full argv array, read by 'ps aux' and 'pgrep -f'. Changing 'comm' is trivial: just call prctl(PR_SET_NAME, "new-name"). Changing 'cmdline' is harder because argv points into a fixed-size memory region allocated by the kernel. Mertens worked around that constraint by spilling the new name into the contiguous argv and environ block. His set_cmdline() function locates the end of that block, then overwrites from the start. Because the kernel reports whatever bytes sit at that memory address, 'cmdline' faithfully returns the fake string.
The PoC: prctl and argv Overwrite The 60-line C program defaults to impersonating ' ' - a legitimate-looking kernel task. After calling prctl to set 'comm' to "kworker/0:1", it overwrites argv with the full disguise. Running 'ps aux' on the PID shows the forged name; 'cat /proc/pid/comm' confirms the same lie. Mertens compiled and ran it on Remnux, and both ps and htop displayed the phony process without blinking.
Detection: eBPF Sees Through the Mask Good news: tools like Kunai, which hook into eBPF, capture the real exec path and command line before the process can rewrite them. In Mertens's test, Kunai logged the true command_line as "./ps-masquerade" and the exe path as "/home/remnux/ps-masquerade". Traditional process listing tools have no chance - they read from /proc after the overwrite. What about Windows? The Process Environment Block (PEB) stores ImagePathName and CommandLine as UNICODE_STRINGs writable from user mode, so Task Manager and WMI can be fooled. But kernel-level fields like EPROCESS.ImageFileName are set from the actually mapped image and remain untouchable from user mode. Same game, different kernel constraints. This masquerading will keep working until monitoring tools stop relying solely on /proc for process names. If your detection pipeline depends on 'ps' output, you're already blind to it.
Source: Linux Process Name Masquerading, (Wed, Jun 24th)
Domain: isc.sans.edu
Comments load interactively on the live page.