A deep dive into a Linux process hiding technique using bind mounts to overlay /proc directories, making processes invisible to standard tools like ps. The article demonstrates the technique using a Sliver C2 beacon, explains how it exploits the /proc filesystem that tools rely on, and identifies forensic artifacts for
Table of contents
IntroductionSetting the stageForensicsnetstatDiggin deeperBack againstrace (ps deep-dive)ConclusionSort: