Description
Adversaries may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign process. On Linux, the operating system stores command-line arguments in the process’s stack and passes them to the main() function as the argv array. The first element, argv[0], typically contains the process name or path - by default, the command used to actually start the process (e.g., cat /etc/passwd). By default, the Linux /proc filesystem uses this value to represent the process name. The /proc/ file reflects the contents of this memory, and tools like ps use it to display process information. Since arguments are stored in user-space memory at launch, this modification can be performed without elevated privileges.
During runtime, adversaries can erase the memory used by all command-line arguments for a process, overwriting each argument string with null bytes. This removes evidence of how the process was originally launched. They can then write a spoofed string into the memory region previously occupied by argv[0] to mimic a benign command, such as cat resolv.conf. The new command-line string is reflected in /proc/ and displayed by tools like ps.(Citation: Sandfly BPFDoor 2022)(Citation: Microsoft XorDdos Linux Stealth 2022)
Platforms
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S1161 | BPFDoor | Malware | [BPFDoor](https://attack.mitre.org/software/S1161) overwrites the `argv[0]` value used by the Linux `/proc` filesystem to determine the command line a... |
References
- Ratnesh Pandey, Yevgeny Kulakov, and Jonathan Bar Or with Saurabh Swaroop. (2022, May 19). Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices. Retrieved September 27, 2023.
- The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023.
Frequently Asked Questions
What is T1036.011 (Overwrite Process Arguments)?
T1036.011 is a MITRE ATT&CK technique named 'Overwrite Process Arguments'. It belongs to the Stealth tactic(s). Adversaries may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign process. On Linux, the operating system stores command-line arguments in the proc...
How can T1036.011 be detected?
Detection of T1036.011 (Overwrite Process Arguments) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1036.011?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1036.011?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.