
Summary
This detection rule utilizes Auditd log data to identify potential process name stomping through the manipulation of the `prctl` syscall. The rule specifically targets instances where the `prctl` system call is executed with the `PR_SET_NAME` argument set to 'f', indicating an attempt to rename a process to a more obscure name or hide its activity. By monitoring for such behavior accompanied by suspicious directory access patterns, the rule aims to flag potential defense evasion tactics employed by attackers to mask malicious processes. The rule requires precise integration with the Auditd Manager to capture the necessary logs, ensuring that security analysts can be alerted to this type of suspicious activity and take appropriate investigative actions.
Categories
- Endpoint
- Linux
Data Sources
- Pod
- Container
- User Account
- Process
- Application Log
- Malware Repository
ATT&CK Techniques
- T1036
- T1036.005
Created: 2025-01-09