Masquerading: Overwrite Process Arguments

Other sub-techniques of Masquerading (12)

ID	Name
ATAGS-T1100.001	Break Process Trees
ATAGS-T1100.002	Browser Fingerprint
ATAGS-T1100.003	Double File Extension
ATAGS-T1100.004	Invalid Code Signature
ATAGS-T1100.005	Masquerade Account Name
ATAGS-T1100.006	Masquerade File Type
ATAGS-T1100.007	Masquerade Task or Service
ATAGS-T1100.008	Match Legitimate Resource Name or Location
ATAGS-T1100.009	Overwrite Process Arguments
ATAGS-T1100.010	Rename Legitimate Utilities
ATAGS-T1100.011	Right-to-Left Override
ATAGS-T1100.012	Space after Filename

Threat Actors may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign process. On Linux, the operating system stores command-line arguments in the process’s stack and passes them to the main()function as the argv array. The first element, argv[0], typically contains the process name or path - by default, the command used to actually start the process (e.g., cat /etc/passwd). By default, the Linux /proc filesystem uses this value to represent the process name. The /proc//cmdline file reflects the contents of this memory, and tools like ps use it to display process information. Since arguments are stored in user-space memory at launch, this modification can be performed without elevated privileges.

ID: ATAGS-T1100.009

Sub-technique of: ATAGS-T1100

ⓘ

Tactic: Defense Evasion

ⓘ

Targeted Components: Software

ⓘ

Responsibility: Provider

Created: 18 April 2026

Last Modified: 18 April 2026

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.