New event will be in Kunai https://github.com/0xrawsec/kunai when a process uses prctl syscall. For instance it can be used to detect task being renamed. It is not always sign of badness but when the exe is located in /dev/shm and new name mimics a legit app it is ! #threathunting #dfir