The ‘Invisibility Cloak’ – Slash-Proc Magic

The author explores a technique from a Defensive Security course that hides processes from the Linux process list using the bind mount operation. They experiment with a post-exploitation framework called Sliver, showcasing its capabilities and discussing how it can be used to interact with compromised systems. By mounting a directory over the /proc directory associated with a process, they effectively hide the process from tools like ps. The author delves into the forensic implications of this technique, analyzing files like nf_conntrack and discussing discrepancies in permissions that could raise red flags during investigations. The unique approach to hiding processes and the detailed exploration of Linux forensic artifacts make this content valuable for cybersecurity enthusiasts.

https://dfir.ch/posts/slash-proc/

To top