Daniel Roberson - process masquerading

process masquerading

2024-08-27

Process masquerading aka process name stomping is an anti-analysis/deception technique used by malware in which a malicious process changes its name to something that appears benign.

For example, malware may change its name to something like “/usr/bin/httpd” to disguise itself as a web server or “[kauditd]” to disguise itself as a kernel thread instead of /dev/shm/totally_awesome_implant

https://sandflysecurity.com/blog/detecting-linux-kernel-process-masquerading-with-command-line-forensics/

https://haxrob.net/process-name-stomping/

process masquerading

2024-08-27

Links to this note

Recent Posts

Linux Persistence: Modular Software

2025-04-17 DFIR CTF persistence linux persistence apache asterisk

Linux Persistence: Web Shells

2025-04-16 DFIR persistence webshell linux persistence webshell apache nginx PHP

Linux Persistence: Rootkits

2025-04-15 DFIR persistence rootkit LKM linux persistence LKM rootkit LD_PRELOAD kprobe ftrace ld.so hooking

Linux Persistence: Processes

2025-04-11 DFIR persistence processes linux persistence processes

Defanging Linux LKM Rootkits With cleanup_module()

2025-04-05 Linux LKM rootkits EDR hooks incident response Linux LKM rootkit