DET0164: Detection Strategy for Overwritten Process Arguments Masquerading
DET0164 is a detection strategy entry for identifying process-argument masquerading associated with ATT&CK technique T1036.011, Overwrite Process Arguments...
Analyst context for executives and security teams
DET0164 is a detection strategy entry for identifying process-argument masquerading associated with ATT&CK technique T1036.011, Overwrite Process Arguments. The business significance is that a Linux process can appear benign because its in-memory argument/name representation has been changed, weakening confidence in process lists, triage views, and simple name-based monitoring.
Executive priority
Treat this as a resilience and response-readiness issue for Linux environments: if teams rely mainly on displayed process names or command lines, stealthy activity may be misclassified during SOC triage or incident response. Leaders should ask whether Linux process telemetry preserves enough launch, parent-child, executable-path, and runtime context to support investigations and audit evidence, rather than depending on process names alone.
Technical view
The supplied detection-strategy object has no official detection text, platforms, or tactics of its own. Its relationship detects T1036.011, a Linux stealth technique involving modification of in-memory process arguments, including argv[0], which can influence how a process is represented through /proc. SOC and IR teams should validate whether Linux telemetry can compare process identity from multiple perspectives: original execution context where available, executable path, parent process, process metadata, and current /proc-exposed arguments/name values.
Likely telemetry
- Linux process creation and execution records, where available
- Parent-child process relationship data
- Executable path and file metadata associated with running processes
- /proc-derived command-line or process name observations
- Endpoint detection or host monitoring process inventory snapshots
Detection direction
- Do not rely on process name or displayed command line as the sole indicator of legitimacy.
- Validate whether telemetry can show discrepancies between executable path, launch context, parent process, and current process argument/name representation.
- Tune investigations for suspicious mismatches while accounting for legitimate software that may intentionally set or alter process titles.
- Prioritize Linux coverage, because the related ATT&CK technique context explicitly references Linux and the /proc filesystem.
- Because the official DET0164 object provides no detection logic, local baselining and environment-specific false-positive review are required.
Mitigation priorities
- First, ensure Linux endpoint and host telemetry captures more than displayed process names.
- Next, update SOC and IR procedures to require corroboration of process identity using executable path, parent process, and runtime context.
- Reduce blind trust in process-list screenshots or single-source process inventories during investigations.
- Where appropriate, use execution governance, least privilege, and hardened administrative practices to reduce opportunities for untrusted code to run and masquerade.
- Document the telemetry and review process as compliance and incident-readiness evidence, especially for systems where Linux operational continuity is material.
Analyst notes and limits
This take is based on the DET0164 detection-strategy object and its relationship to ATT&CK T1036.011, Overwrite Process Arguments. The most useful defensive takeaway is not a specific signature, but a validation question: can defenders distinguish a process’s real execution context from a manipulated in-memory argument/name representation?
The official detection-strategy object supplied here has no description, no detection text, no listed platforms, and no tactics. Platform and behavioral detail come from the related T1036.011 context only. No claim is made about active exploitation, attribution, prevalence, or guaranteed detection coverage.
Detection Strategy for Overwritten Process Arguments Masquerading
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1036.011 | Overwrite Process Arguments Sub-technique | This object detects Overwrite Process Arguments. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ea821f529ad9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0164Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.