T1036.011 Sumo Logic CSE · Sumo

Detect Overwrite Process Arguments in Sumo Logic CSE

Adversaries may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign process. On Linux, the operating system stores command-line arguments in the process's stack and passes them to the main() function as the argv array. The first element, argv[0], typically contains the process name or path. By default, the Linux /proc filesystem uses this value to represent the process name. The /proc/<PID>/cmdline file reflects the contents of this memory, and tools like ps use it to display process information. During runtime, adversaries can erase the memory used by all command-line arguments for a process, overwriting each argument string with null bytes, then write a spoofed string into the memory region previously occupied by argv[0] to mimic a benign command. This technique is used by BPFDoor, which overwrites its argv[0] with names resembling Linux system daemons such as /sbin/udevd -d, dbus-daemon --system, and avahi-daemon: chroot helper.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.011 Overwrite Process Arguments
Canonical reference
https://attack.mitre.org/techniques/T1036/011/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=linux/audit type=EXECVE
| parse regex "a0=\"(?<claimed_name>[^\"]+)\""
| parse regex "exe=\"(?<actual_exe>[^\"]+)\""
| where !isNull(claimed_name) and !isNull(actual_exe)
| where claimed_name != actual_exe
| if(claimed_name matches "/sbin/udevd*" or claimed_name matches "dbus-daemon*" or claimed_name matches "avahi-daemon*" or claimed_name matches "auditd*" or claimed_name matches "systemd-journald*" or claimed_name matches "/sbin/rpcbind*" or claimed_name matches "xinetd*" or claimed_name matches "crond*" or claimed_name matches "atd*" or claimed_name matches "acpid*" or claimed_name matches "smartd*" or claimed_name matches "irqbalance*", 1, 0) as is_daemon_claim
| if(!(actual_exe matches "/usr/*" or actual_exe matches "/bin/*" or actual_exe matches "/sbin/*" or actual_exe matches "/lib/*"), 1, 0) as is_nonstandard_path
| where is_daemon_claim = 1 or is_nonstandard_path = 1
| toInt(is_daemon_claim) + toInt(is_nonstandard_path) as suspicion_score
| fields _messageTime, _sourceHost, claimed_name, actual_exe, is_daemon_claim, is_nonstandard_path, suspicion_score
| sort by suspicion_score desc, _messageTime desc
high severity medium confidence

Detects T1036.011 process argument overwriting in Sumo Logic by parsing Linux auditd EXECVE log records. Extracts argv[0] (claimed process name) and the actual executable path, then scores events based on whether the claimed name matches known system daemon names and whether the actual binary resides outside standard Linux system paths.

Data Sources

Linux Auditd via Sumo Logic Installed CollectorSumo Logic Cloud Syslog source for Linux hosts

Required Tables

linux/audit

False Positives & Tuning

  • Security tooling or EDR agents installed in non-standard directories that legitimately display service-like names in process listings
  • Custom built-in shell scripts or startup wrappers deployed in /opt or /home that set argv[0] to a descriptive name
  • Legitimate test environments running BPFDoor indicators as part of red team exercises or malware analysis
Download portable Sigma rule (.yml)

Other platforms for T1036.011

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Overwrite argv[0] with Bash Process Substitution

    Expected signal: Auditd EXECVE record with a0='/sbin/udevd -d' but exe pointing to /usr/bin/sleep (or /bin/sleep). The ps output shows the spoofed name. /proc/<PID>/cmdline shows '/sbin/udevd -d' while /proc/<PID>/exe symlinks to the actual sleep binary.

  2. Test 2Python prctl PR_SET_NAME Process Rename

    Expected signal: Auditd SYSCALL record for prctl (syscall 157) with a0=15 (PR_SET_NAME) from python3. The /proc/<PID>/comm file will show 'avahi-daemon' while /proc/<PID>/exe still points to /usr/bin/python3. Process creation event shows python3 but ps output shows avahi-daemon.

  3. Test 3C Program argv[0] Overwrite and Fork (BPFDoor Simulation)

    Expected signal: Auditd EXECVE record for /tmp/df00tech_argv_test. Fork SYSCALL (57) record. PROCTITLE record changing to hex-encoded '/sbin/udevd -d'. The child process shows PPID=1 (adopted by init) with args='/sbin/udevd -d' but /proc/<PID>/exe -> /tmp/df00tech_argv_test.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1036.011 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1036.005Match Legitimate Resource Name or LocationT1036.006Space after FilenameT1036.007Double File ExtensionT1036.008Masquerade File TypeT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.012Browser Fingerprint

Related Techniques

T1036MasqueradingT1036.009Break Process TreesT1036.004Masquerade Task or ServiceT1205.002Socket FiltersT1106Native APIT1014RootkitT1059.004Unix Shell

Same Tactic: Defense Evasion

Popular Detections