THE article by Xavier Mertens discusses the technique of Linux process name masquerading, where malicious processes can disguise themselves using non-suspicious names. It references the MITRE ATT&CK framework (T1036) and emphasizes that both the process name and command line can be manipulated. Mertens provides technical examples of how to change these attributes using Linux commands and C code, highlighting the risks and detection methods.
The article also notes the differences in Windows process name handling, where the Process Environment Block (PEB) can similarly be modified. Tools like Kunai can detect such masquerading by capturing real command line execution information.