Adversaries may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign process. On Linux, the operating system stores command-line arguments in the process’s stack and passes them to themain() function as theargv array. The first element,argv[0], typically contains the process name or path - by default, the command used to actually start the process (e.g.,cat /etc/passwd). By default, the Linux/proc filesystem uses this value to represent the process name. The/proc/<PID>/cmdline file reflects the contents of this memory, and tools likeps use it to display process information. Since arguments are stored in user-space memory at launch, this modification can be performed without elevated privileges.
During runtime, adversaries can erase the memory used by all command-line arguments for a process, overwriting each argument string with null bytes. This removes evidence of how the process was originally launched. They can then write a spoofed string into the memory region previously occupied byargv[0] to mimic a benign command, such ascat resolv.conf. The new command-line string is reflected in/proc/<PID>/cmdline and displayed by tools likeps.[1][2]
| ID | Name | Description |
|---|---|---|
| S1161 | BPFDoor | BPFDoor overwrites the |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0164 | Detection Strategy for Overwritten Process Arguments Masquerading | AN0466 | Detects adversary behavior where the command-line arguments of a running process are overwritten in memory to spoof the process name, typically replacing it with a benign or misleading string. The detection correlates unexpected null byte sequences, discrepancies between |