Ghosts in /proc: Manipulation and Timeline Corruption

This blog demonstrates a technique for adversaries with elevated privileges to manipulate the Linux /proc pseudo-filesystem—by bind-mounting altered copies of /proc/<pid> entries—to falsify cmdline values and the starttime field in stat, allowing malicious processes to be disguised and timeline data to be corrupted; it includes a lab walkthrough and detection/mitigation guidance (monitor mount activity, cross-validate /proc data with kernel/remote telemetry, enforce least privilege, enable kernel integrity controls, and forward immutable audits).