title: Overwrite Process Arguments (T1036.011)
id: df00tech-t1036-011
status: experimental
description: "Adversaries may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign process. On Linux, the operating system stores command-line arguments in the process's stack and passes them to the main() function as the argv array. The first element, argv[0], typically contains the process name or path. By default, the Linux /proc filesystem uses this value to represent the process name. The /proc/<PID>/cmdline file reflects the contents of this memory, and tools like ps use it to display process information. During runtime, adversaries can erase the memory used by all command-line arguments for a process, overwriting each argument string with null bytes, then write a spoofed string into the memory region previously occupied by argv[0] to mimic a benign command. This technique is used by BPFDoor, which overwrites its argv[0] with names resembling Linux system daemons such as /sbin/udevd -d, dbus-daemon --system, and avahi-daemon: chroot helper."
references:
  - https://attack.mitre.org/techniques/T1036/011/
  - https://df00tech.com/detections/T1036.011
author: df00tech
date: 2026/04/16
tags:
  - attack.t1036.011
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "BusyBox multi-call binary — a single /bin/busybox binary is invoked via symlinks with different argv[0] values (ls, cat, grep, etc.), causing legitimate exe/argv[0] mismatches on embedded Linux and container environments"
  - "Python, Perl, and Java applications that set a custom process title via setproctitle() or similar libraries for operational clarity — common in application servers (gunicorn, celery, uwsgi)"
  - "Shell scripts invoked via interpreter (bash script.sh) where argv[0] is 'bash' but the script name differs from the binary path"
  - Snap-packaged and Flatpak applications that execute through wrapper scripts causing path mismatches between /snap/ paths and actual binaries
level: high