T1036.011 Overwrite Process Arguments
Adversaries may modify a process’s in-memory arguments to change its name in order to appear as a legitimate or benign process. On Linux, the operating system stores command-line arguments in the process’s stack and passes them to the main() function as the argv array. The first element, argv[0], typically contains the process name or path - by default, the command used to actually start the process (e.g., cat /etc/passwd). By default, the Linux /proc filesystem uses this value to represent the process name. The /proc/<PID>/cmdline file reflects the contents of this memory, and tools like ps use it to display process information. Since arguments are stored in user-space memory at launch, this modification can be performed without elevated privileges.
During runtime, adversaries can erase the memory used by all command-line arguments for a process, overwriting each argument string with null bytes. This removes evidence of how the process was originally launched. They can then write a spoofed string into the memory region previously occupied by argv[0] to mimic a benign command, such as cat resolv.conf. The new command-line string is reflected in /proc/<PID>/cmdline and displayed by tools like ps.21
| Item | Value |
|---|---|
| ID | T1036.011 |
| Sub-techniques | T1036.001, T1036.002, T1036.003, T1036.004, T1036.005, T1036.006, T1036.007, T1036.008, T1036.009, T1036.010, T1036.011, T1036.012 |
| Tactics | TA0005 |
| Platforms | Linux |
| Version | 1.0 |
| Created | 27 March 2025 |
| Last Modified | 15 April 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1161 | BPFDoor | BPFDoor overwrites the argv[0] value used by the Linux /proc filesystem to determine the command line and command name to display for each process. BPFDoor selects a name from 10 hardcoded names that resemble Linux system daemons, such as; /sbin/udevd -d, dbus-daemon --system, avahi-daemon: chroot helper, /sbin/auditd -n, and /usr/lib/systemd/systemd-journald.2 |
References
-
Ratnesh Pandey, Yevgeny Kulakov, and Jonathan Bar Or with Saurabh Swaroop. (2022, May 19). Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices. Retrieved September 27, 2023. ↩
-
The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023. ↩↩