A new technical diary from the SANS Internet Storm Center, published Wednesday, June 24, demonstrates with source code how malicious processes on Linux can effectively masquerade as [kworker/0:1-events] — the legitimate name of a kernel worker thread — by simultaneously manipulating prctl(PR_SET_NAME) and the contiguous argv/environ memory. This is not theoretical: Sygnia documented operational use of this same technique in the Velvet Ant APT campaign, with binaries posing as [khubd] and smbd -D. The most uncomfortable revelation for security teams is that modern eBPF tools like Kunai identify the real executable path but cannot recover the original exec name.
- The process name in
ps/topon Linux comes from/proc/<pid>/comm, limited to 15 characters, modifiable viaprctl(PR_SET_NAME)without special privileges. - To alter
/proc/<pid>/cmdline— read byps aux— malware must overwrite the contiguous memory ofargv[1..n]andenviron, zeroing the entire region becauseargv[0]is a fixed-size buffer. - The SANS PoC demonstrates full masquerading as
[kworker/0:1-events], a name indistinguishable from a legitimate kernel thread in a process list. - Kunai, an eBPF detection tool, exposes the real executable path (
/home/remnux/ps-masquerade) but not the original exec name, leaving an attribution gap in the execution flow. - Velvet Ant, a Chinese-nexus APT, applied this technique in the wild in 2016, overwriting
argv[0]with[khubd]for a SOCKS5 proxy disguised assmbd -D.
The Two Layers of Masquerading: comm and cmdline
The first component of the trick is prctl(PR_SET_NAME), the syscall documented in Linux man pages that allows a process to redefine its name in /proc/<pid>/comm. This field is what top, htop, and ps -ef show by default, and it is limited to 15 characters — exactly like the ImageFileName field in Windows, as the SANS diary author notes.
The result: a malicious process can call itself [kworker/0:1] and appear, at a glance, as a kernel thread.
The second component is more aggressive. ps aux reads /proc/<pid>/cmdline, which derives from the argv array passed to execve. Here a structural limitation of the format comes into play: argv[0] is a fixed-size buffer.
To overwrite it, malware cannot simply write a longer name: it must zero the entire contiguous region that includes argv[1], argv[2], ... argv[n] and the environment variables environ, then copy the fake name into that cleared memory.
The SANS PoC source code shows this mechanism explicitly: a loop that zeros all memory from argv[i] + strlen(argv[i]) + 1 onward, then overwrites it with the fictitious name. The chosen name is deliberately credible: [kworker/0:1-events], with square brackets that mimic the Linux kernel thread naming convention.
The Kunai Gap: eBPF Sees the File, Not the History
The good news, according to the diary, is that eBPF tools like Kunai detect the real executable path: in the author's test, the JSON output shows "exe": {"path": "/home/remnux/ps-masquerade"}. The bad news is that Kunai does not recover the original exec name — the argument passed at the moment of execve before manipulation.
The ancestor process chain is visible, but the original binary name at launch time remains lost.
This creates an operational problem for security teams: an alert based solely on "suspicious process name" can be evaded, but an alert based on "executable path" requires a baseline of legitimate executables. If the attacker drops the binary in a lightly monitored directory, the only anomaly indicator remains post-execution behavior, not the identity declared at launch.
From Velvet Ant to PoC: The Technique in the Wild
The technique is not a laboratory curiosity. Sygnia, in its analysis of Operation Highland, documented that Velvet Ant — a Chinese-nexus group active since 2016 — overwrote its own argv[0] with [khubd], a name that mimics a legitimate USB kernel thread.
The SOCKS5 proxy used for C2 communication was instead disguised as smbd -D, the Samba daemon. The MITRE ATT&CK T1036 (Masquerading) classification describes dozens of similar campaigns, but the Linux detail remains less documented than its Windows counterpart.
The SANS diary explicitly links its PoC to this operational case history: the argv[0] + prctl mechanism is the same one Velvet Ant employed in the field, although the APT group does not necessarily use prctl — argv[0] overwrite alone is sufficient to fool ps.
What to Do Now
Security teams must act on three specific fronts, derived directly from the documented limits in the brief.
First: verify that the eBPF detection tools in use — Kunai or equivalents — are configured to log the exe.path field and the ancestors chain, not just the current process name. The brief shows Kunai exposes /home/remnux/ps-masquerade in JSON: this telemetry must be integrated into alerting rules, with baselines of executable paths per user and per host.
Second: filters on ps, top, or htop as the sole criterion for authorization or monitoring are now unreliable. Policies that authorize network connections, file access, or privileges based on process name must be recalibrated to use executable file identity (inode, canonicalized path, or hash) rather than the name declared at runtime.
Third: the brief documents no system patches or kernel configurations that prevent argv[0] manipulation. prctl and argv overwrite are legitimate Linux kernel mechanisms, not vulnerabilities. There is no CVE to patch, no kernel version that disables them. Defense remains in behavioral detection, not configuration-based prevention.
The Real Issue: Process-Name-Based Authentication
The most immediate consequence is for authorization systems that use process name as an identifier. Container runtimes, SELinux policies, AppArmor rules, or simple monitoring scripts that filter on ps are vulnerable to this masquerading.
No zero-day exploitation or privilege escalation is required: a normal user process can perform both operations.
The impact for security tool developers is equally clear. eBPF detection has proven its value in seeing past the fictitious name, but the gap on the original exec name is a reminder that telemetry is always a partial reconstruction.
The execution chain is more reliable than a single point in time, but the chain itself can be manipulated if the attacker controls the entire launch flow.
The technique has been known for years, classified, and yet its practical effectiveness remains high. The kernel worker thread is a natural impersonation target because its presence is expected, its activity is opaque to most administrators, and the name with square brackets makes it immediately recognizable as "internal" to the system.
Impersonating [kworker/0:1-events] is not a sophisticated attack: it is social engineering applied to the operating system, exploiting the limited attention of anyone reading ps in a hurry.
"A good news is that tools like Kunai (that rely on eBPF) will catch the real command line but won't be able to find back the exec name." — Senior ISC Handler, SANS Internet Storm Center
The overall reading is one of persistent asymmetry: the attacker has two mechanisms at their disposal (prctl + argv overwrite), while the defender has partial detection and no kernel countermeasure. Until eBPF tracing recovers the full exec history, the process name in Linux will remain a battlefield.
Information is based on the cited source and current as of publication.
Sources
- https://isc.sans.edu/diary/rss/33102
- https://isc.sans.edu/diary/An+Example+of+Stack+String+in+High+Level+Language/33008
- https://attack.mitre.org/techniques/T1036/
- https://www.sygnia.co/blog/operation-highland-velvet-ant/
- https://man7.org/linux/man-pages/man2/prctl.2.html