Detect Overwrite Process Arguments in Microsoft Sentinel
Adversaries may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign process. On Linux, the operating system stores command-line arguments in the process's stack and passes them to the main() function as the argv array. The first element, argv[0], typically contains the process name or path. By default, the Linux /proc filesystem uses this value to represent the process name. The /proc/<PID>/cmdline file reflects the contents of this memory, and tools like ps use it to display process information. During runtime, adversaries can erase the memory used by all command-line arguments for a process, overwriting each argument string with null bytes, then write a spoofed string into the memory region previously occupied by argv[0] to mimic a benign command. This technique is used by BPFDoor, which overwrites its argv[0] with names resembling Linux system daemons such as /sbin/udevd -d, dbus-daemon --system, and avahi-daemon: chroot helper.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.011 Overwrite Process Arguments
- Canonical reference
- https://attack.mitre.org/techniques/T1036/011/
KQL Detection Query
let KnownSpoofedNames = dynamic([
"/sbin/udevd", "dbus-daemon", "avahi-daemon", "auditd",
"systemd-journald", "/sbin/rpcbind", "xinetd", "crond",
"atd", "acpid", "smartd", "irqbalance"
]);
Syslog
| where TimeGenerated > ago(24h)
| where Facility in ("auth", "authpriv", "daemon")
| where SyslogMessage has "type=EXECVE"
| extend claimed_name = extract(@'a0="([^"]+)"', 1, SyslogMessage)
| extend actual_exe = extract(@'exe="([^"]+)"', 1, SyslogMessage)
| where isnotempty(claimed_name) and isnotempty(actual_exe)
| where claimed_name != actual_exe
| where claimed_name has_any (KnownSpoofedNames) or actual_exe !startswith "/usr/" and actual_exe !startswith "/bin/" and actual_exe !startswith "/sbin/"
| project TimeGenerated, Computer, claimed_name, actual_exe, SyslogMessage
| sort by TimeGenerated descDetects processes where the claimed command name (argv[0], visible in /proc/<PID>/cmdline and ps output) differs from the actual executable path (from /proc/<PID>/exe or auditd exe= field). This is the primary indicator of argv[0] overwriting as used by BPFDoor, which replaces its process name with strings like '/sbin/udevd -d' or 'avahi-daemon: chroot helper'. The query parses auditd EXECVE records forwarded to syslog and compares the a0 (first argument) field against the exe field, flagging mismatches — especially when the actual binary is in a non-standard path.
Data Sources
Required Tables
False Positives & Tuning
- BusyBox multi-call binary — a single /bin/busybox binary is invoked via symlinks with different argv[0] values (ls, cat, grep, etc.), causing legitimate exe/argv[0] mismatches on embedded Linux and container environments
- Python, Perl, and Java applications that set a custom process title via setproctitle() or similar libraries for operational clarity — common in application servers (gunicorn, celery, uwsgi)
- Shell scripts invoked via interpreter (bash script.sh) where argv[0] is 'bash' but the script name differs from the binary path
- Snap-packaged and Flatpak applications that execute through wrapper scripts causing path mismatches between /snap/ paths and actual binaries
Other platforms for T1036.011
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Overwrite argv[0] with Bash Process Substitution
Expected signal: Auditd EXECVE record with a0='/sbin/udevd -d' but exe pointing to /usr/bin/sleep (or /bin/sleep). The ps output shows the spoofed name. /proc/<PID>/cmdline shows '/sbin/udevd -d' while /proc/<PID>/exe symlinks to the actual sleep binary.
- Test 2Python prctl PR_SET_NAME Process Rename
Expected signal: Auditd SYSCALL record for prctl (syscall 157) with a0=15 (PR_SET_NAME) from python3. The /proc/<PID>/comm file will show 'avahi-daemon' while /proc/<PID>/exe still points to /usr/bin/python3. Process creation event shows python3 but ps output shows avahi-daemon.
- Test 3C Program argv[0] Overwrite and Fork (BPFDoor Simulation)
Expected signal: Auditd EXECVE record for /tmp/df00tech_argv_test. Fork SYSCALL (57) record. PROCTITLE record changing to hex-encoded '/sbin/udevd -d'. The child process shows PPID=1 (adopted by init) with args='/sbin/udevd -d' but /proc/<PID>/exe -> /tmp/df00tech_argv_test.
References (6)
- https://attack.mitre.org/techniques/T1036/011/
- https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
- https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/
- https://man7.org/linux/man-pages/man2/prctl.2.html
- https://man7.org/linux/man-pages/man5/proc_pid_cmdline.5.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.011/T1036.011.md
Unlock Pro Content
Get the full detection package for T1036.011 including response playbook, investigation guide, and atomic red team tests.