Detects adversary behavior where the command-line arguments of a running process are overwritten in memory to spoof the process name, typically replacing it with a benign or misleading string. The detection correlates unexpected null byte sequences, discrepancies between /proc/<pid>/cmdline and process ancestry, and suspicious memory writes shortly after process start.
| Data Component | Name | Channel |
|---|---|---|
| Process Metadata (DC0034) | auditd:SYSCALL | execve, prctl, or ptrace activity affecting process memory or command-line arguments |
| Process Modification (DC0020) | ebpf:tracepoints | Runtime memory overwrite of argv[] memory region |
| Field | Description |
|---|---|
| TimeWindow | Time threshold after process creation during which argv memory manipulation is expected to be rare; anomalies occurring outside this window may be more suspicious. |
| AllowedArgvMismatchPatterns | List of known legitimate processes where argv[0] mismatch is expected due to application logic or packaging quirks. |
| ParentExecutableTrustList | Trusted parent binaries allowed to spawn processes with altered command-line names. |