T1036.011 Overwrite Process Arguments Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let KnownSpoofedNames = dynamic([
  "/sbin/udevd", "dbus-daemon", "avahi-daemon", "auditd",
  "systemd-journald", "/sbin/rpcbind", "xinetd", "crond",
  "atd", "acpid", "smartd", "irqbalance"
]);
Syslog
| where TimeGenerated > ago(24h)
| where Facility in ("auth", "authpriv", "daemon")
| where SyslogMessage has "type=EXECVE"
| extend claimed_name = extract(@'a0="([^"]+)"', 1, SyslogMessage)
| extend actual_exe = extract(@'exe="([^"]+)"', 1, SyslogMessage)
| where isnotempty(claimed_name) and isnotempty(actual_exe)
| where claimed_name != actual_exe
| where claimed_name has_any (KnownSpoofedNames) or actual_exe !startswith "/usr/" and actual_exe !startswith "/bin/" and actual_exe !startswith "/sbin/"
| project TimeGenerated, Computer, claimed_name, actual_exe, SyslogMessage
| sort by TimeGenerated desc

high severity high confidence

Data Sources

Process: Process Creation Process: Process Metadata Linux Audit Logs Syslog

Required Tables

Syslog

False Positives

BusyBox multi-call binary — a single /bin/busybox binary is invoked via symlinks with different argv[0] values (ls, cat, grep, etc.), causing legitimate exe/argv[0] mismatches on embedded Linux and container environments
Python, Perl, and Java applications that set a custom process title via setproctitle() or similar libraries for operational clarity — common in application servers (gunicorn, celery, uwsgi)
Shell scripts invoked via interpreter (bash script.sh) where argv[0] is 'bash' but the script name differs from the binary path
Snap-packaged and Flatpak applications that execute through wrapper scripts causing path mismatches between /snap/ paths and actual binaries

Splunk

spl

index=linux_audit sourcetype=linux_audit type=EXECVE
| rex "a0=\"(?<claimed_name>[^\"]+)\""
| rex "exe=\"(?<actual_exe>[^\"]+)\""
| where isnotnull(claimed_name) AND isnotnull(actual_exe)
| where claimed_name!=actual_exe
| eval is_system_daemon_claim=if(match(claimed_name, "^(/sbin/udevd|dbus-daemon|avahi-daemon|auditd|systemd-journald|/sbin/rpcbind|xinetd|crond|atd|acpid|smartd|irqbalance)"), 1, 0)
| eval is_nonstandard_path=if(NOT match(actual_exe, "^(/usr/|/bin/|/sbin/|/lib/)"), 1, 0)
| eval SuspicionScore=is_system_daemon_claim + is_nonstandard_path
| where SuspicionScore > 0
| table _time, host, claimed_name, actual_exe, is_system_daemon_claim, is_nonstandard_path, SuspicionScore
| sort - SuspicionScore - _time

high severity high confidence

Data Sources

Process: Process Creation Process: Process Metadata Linux Audit Logs (auditd)

Required Sourcetypes

linux_audit

False Positives

BusyBox multi-call binary with symlink-based argv[0] on container/embedded systems
Python/Perl applications using setproctitle() for operational process naming
Shell scripts invoked via interpreter causing argv[0] path differences
Snap/Flatpak packaged applications with wrapper script path mismatches

Elastic Security (EQL)

eql

sequence by host.name, process.pid
  [process where event.type == "start" and
   auditd.data.syscall == "execve" and
   auditd.data.a0 != null and
   process.executable != null and
   auditd.data.a0 != process.executable and
   (
     auditd.data.a0 : ("/sbin/udevd*", "dbus-daemon*", "avahi-daemon*", "auditd*", "systemd-journald*", "/sbin/rpcbind*", "xinetd*", "crond*", "atd*", "acpid*", "smartd*", "irqbalance*") or
     (not process.executable : ("/usr/*", "/bin/*", "/sbin/*", "/lib/*"))
   )
  ]

high severity medium confidence

Data Sources

Linux Auditd via Filebeat auditd module Elastic Endpoint Security (Linux agent)

Required Tables

logs-* auditbeat-* filebeat-*

False Positives

Custom init wrappers or process supervisors (e.g., runit, s6) that legitimately rewrite argv[0] to reflect managed service names
Python or Perl scripts that use setproctitle() to set a friendly display name distinct from the interpreter binary path
Container entrypoint shims that rename themselves to match the wrapped process for observability purposes

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  hostname,
  username,
  LOGSOURCENAME(logsourceid) AS log_source,
  "claimed_name",
  "actual_exe",
  UTF8(payload) AS raw_payload
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%linux%audit%'
  AND starttime > NOW() - 1 DAYS
  AND UTF8(payload) LIKE '%type=EXECVE%'
  AND REGEXP_MATCH(UTF8(payload), 'a0="[^"]+"')
  AND REGEXP_MATCH(UTF8(payload), 'exe="[^"]+"')
  AND "claimed_name" != "actual_exe"
  AND (
    REGEXP_MATCH("claimed_name", '^(/sbin/udevd|dbus-daemon|avahi-daemon|auditd|systemd-journald|/sbin/rpcbind|xinetd|crond|atd|acpid|smartd|irqbalance)')
    OR NOT REGEXP_MATCH("actual_exe", '^(/usr/|/bin/|/sbin/|/lib/)')
  )
ORDER BY starttime DESC
LIMIT 1000

high severity medium confidence

Data Sources

Linux Auditd log source IBM QRadar Log Source for Linux syslog/auditd

Required Tables

events

False Positives

Legitimate process supervisors like daemontools or s6 that rename child processes in argv[0] for display purposes
Application frameworks that use setproctitle() to show human-readable process names different from the binary name
Monitoring agents deployed to non-standard paths (e.g., /opt/) that still present standard daemon-like names

Sumo Logic CSE

sql

_sourceCategory=linux/audit type=EXECVE
| parse regex "a0=\"(?<claimed_name>[^\"]+)\""
| parse regex "exe=\"(?<actual_exe>[^\"]+)\""
| where !isNull(claimed_name) and !isNull(actual_exe)
| where claimed_name != actual_exe
| if(claimed_name matches "/sbin/udevd*" or claimed_name matches "dbus-daemon*" or claimed_name matches "avahi-daemon*" or claimed_name matches "auditd*" or claimed_name matches "systemd-journald*" or claimed_name matches "/sbin/rpcbind*" or claimed_name matches "xinetd*" or claimed_name matches "crond*" or claimed_name matches "atd*" or claimed_name matches "acpid*" or claimed_name matches "smartd*" or claimed_name matches "irqbalance*", 1, 0) as is_daemon_claim
| if(!(actual_exe matches "/usr/*" or actual_exe matches "/bin/*" or actual_exe matches "/sbin/*" or actual_exe matches "/lib/*"), 1, 0) as is_nonstandard_path
| where is_daemon_claim = 1 or is_nonstandard_path = 1
| toInt(is_daemon_claim) + toInt(is_nonstandard_path) as suspicion_score
| fields _messageTime, _sourceHost, claimed_name, actual_exe, is_daemon_claim, is_nonstandard_path, suspicion_score
| sort by suspicion_score desc, _messageTime desc

high severity medium confidence

Data Sources

Linux Auditd via Sumo Logic Installed Collector Sumo Logic Cloud Syslog source for Linux hosts

Required Tables

linux/audit

False Positives

Security tooling or EDR agents installed in non-standard directories that legitimately display service-like names in process listings
Custom built-in shell scripts or startup wrappers deployed in /opt or /home that set argv[0] to a descriptive name
Legitimate test environments running BPFDoor indicators as part of red team exercises or malware analysis

Google Chronicle / SecOps

yaral

rule t1036_011_overwrite_process_arguments {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1036.011 process argument overwriting where argv[0] (claimed process name) differs from the actual executable path and the claimed name impersonates a known Linux system daemon."
    mitre_attack_technique = "T1036.011"
    mitre_attack_tactic = "Defense Evasion"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1036/011/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.command_line != ""
    $e.principal.process.file.full_path != ""
    $e.principal.process.command_line != $e.principal.process.file.full_path
    (
      re.regex($e.principal.process.command_line, `^(/sbin/udevd|dbus-daemon|avahi-daemon|auditd|systemd-journald|/sbin/rpcbind|xinetd|crond|atd|acpid|smartd|irqbalance)`)
      or not re.regex($e.principal.process.file.full_path, `^(/usr/|/bin/|/sbin/|/lib/)`)
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Chronicle UDM — Linux auditd ingestion via Chronicle forwarder Google Chronicle Linux process telemetry

Required Tables

UDM PROCESS_LAUNCH events

False Positives

Legitimate setproctitle() usage by applications such as PostgreSQL worker processes that rename themselves to reflect their current activity
Container runtimes or orchestration agents that spawn processes with display-friendly argv[0] values distinct from the actual binary
Custom hardening wrappers in non-standard paths that present a standard daemon name for compatibility with monitoring tools

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| CommandLine != ImageFileName
| regex(field=CommandLine, regex="^(/sbin/udevd|dbus-daemon|avahi-daemon|auditd|systemd-journald|/sbin/rpcbind|xinetd|crond|atd|acpid|smartd|irqbalance)", strict=false)
  OR not regex(field=ImageFileName, regex="^(/usr/|/bin/|/sbin/|/lib/)", strict=false)
| eval is_daemon_claim := if(regex(CommandLine, "^(/sbin/udevd|dbus-daemon|avahi-daemon|auditd|systemd-journald|/sbin/rpcbind|xinetd|crond|atd|acpid|smartd|irqbalance)"), 1, 0)
| eval is_nonstandard_path := if(not regex(ImageFileName, "^(/usr/|/bin/|/sbin/|/lib/)"), 1, 0)
| eval suspicion_score := is_daemon_claim + is_nonstandard_path
| where suspicion_score > 0
| table([@timestamp, ComputerName, UserName, CommandLine, ImageFileName, ParentImageFileName, is_daemon_claim, is_nonstandard_path, suspicion_score])
| sort(field=suspicion_score, order=desc)
| sort(field=@timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Sensor (Linux) — ProcessRollup2 events CrowdStrike LogScale via Falcon Data Replicator

Required Tables

ProcessRollup2

False Positives

Falcon sensor telemetry from custom Linux distributions where binaries are installed in non-standard paths (e.g., /opt/agent/) but present standard daemon names
Interpreted language runtimes (Python, Ruby) that use setproctitle to display worker-specific names different from the interpreter binary path
Legitimate penetration testing tooling or red team agents that mimic daemon names as part of an authorized exercise

Overwrite Process Arguments

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections