sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Process Name Masquerading

Open CheraghiMilad opened this issue 7 months ago • 6 comments

Summary of the Pull Request

Detects usage of prctl syscall with PR_SET_NAME (option 0x0f), which is commonly used for process name masquerading or hiding malicious processes.

Changelog

new: Process Name Masquerading via Prctl Syscall

Example Log Event

{
  "type": "SYSCALL",
  "msg": {
    "timestamp": "1749126720.461",
    "record_id": "51630"
  },
  "arch": "c000003e",
  "syscall": 157,
  "success": "yes",
  "exit": 0,
  "a0": "f",
  "a1": "569b0d25e008",
  "a2": "0",
  "a3": "0",
  "items": 0,
  "ppid": 4056,
  "pid": 4063,
  "auid": 1000,
  "uid": 1000,
  "gid": 1000,
  "euid": 1000,
  "suid": 1000,
  "fsuid": 1000,
  "egid": 1000,
  "sgid": 1000,
  "fsgid": 1000,
  "tty": "pts4",
  "ses": 3,
  "comm": "kworker/u8:3",
  "exe": "/tmp/masquerade",
  "subj": "unconfined",
  "key": "prctl-monitor"
}

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

CheraghiMilad avatar Jun 05 '25 13:06 CheraghiMilad

Hi @phantinuss Could you review this one? thanks a lot

CheraghiMilad avatar Aug 04 '25 19:08 CheraghiMilad

Hi, @nasbench @frack113 @phantinuss Ping?

CheraghiMilad avatar Aug 28 '25 22:08 CheraghiMilad

HI, https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/prctl-syscall/README.md is not found.

a0 is https://man7.org/linux/man-pages/man2/PR_SET_NAME.2const.html, isn't it ?

frack113 avatar Aug 29 '25 05:08 frack113

HI, https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/prctl-syscall/README.md is not found.

a0 is https://man7.org/linux/man-pages/man2/PR_SET_NAME.2const.html, isn't it ?

Hi, @frack113 Thanks for your attention. The link issue is fixed now.

About a0, just to clarify: the prctl function has around 20 different options. In the first argument, you specify whichever option you want to use (in this case, PR_SET_NAME). In the logs, this option shows up as the number f, which is correct.

If you’d like to see the full cycle in action (it only takes about 2 minutes), check out this PoC demo on YouTube: https://www.youtube.com/watch?v=gjaBhmXWHsw

Thanks again!

CheraghiMilad avatar Aug 29 '25 07:08 CheraghiMilad

Thanks for the video and the link fix. With only "a0": "f", and no code source, I had the read the C header to find the PR_SET_NAME 😄

frack113 avatar Aug 29 '25 11:08 frack113

Thanks for the video and the link fix. With only "a0": "f", and no code source, I had the read the C header to find the PR_SET_NAME 😄

Thanks so much for taking the time :) And yeah, I should’ve provided a bit more data. I do open-source work, but with a kind of closed-source mindset :)

CheraghiMilad avatar Aug 29 '25 15:08 CheraghiMilad