DET0164 Detection Strategy for Overwritten Process Arguments Masquerading

Item	Value
ID	DET0164
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1036.011 (Overwrite Process Arguments)

Analytics

Linux

AN0466

Detects adversary behavior where the command-line arguments of a running process are overwritten in memory to spoof the process name, typically replacing it with a benign or misleading string. The detection correlates unexpected null byte sequences, discrepancies between /proc/<pid>/cmdline and process ancestry, and suspicious memory writes shortly after process start.

Log Sources

Data Component	Name	Channel
Process Metadata (DC0034)	auditd:SYSCALL	execve, prctl, or ptrace activity affecting process memory or command-line arguments
Process Modification (DC0020)	ebpf:tracepoints	Runtime memory overwrite of argv[] memory region

Mutable Elements

Field	Description
TimeWindow	Time threshold after process creation during which argv memory manipulation is expected to be rare; anomalies occurring outside this window may be more suspicious.
AllowedArgvMismatchPatterns	List of known legitimate processes where argv[0] mismatch is expected due to application logic or packaging quirks.
ParentExecutableTrustList	Trusted parent binaries allowed to spawn processes with altered command-line names.