Skip to content

DET0045 Detection Strategy for Process Argument Spoofing on Windows

Item Value
ID DET0045
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1564.010 (Process Argument Spoofing)

Analytics

Windows

AN0126

Inconsistencies between process command-line arguments logged at creation time and subsequent process behavior. Defender perspective: monitoring for processes launched in a suspended state, followed by memory modifications (e.g., WriteProcessMemory targeting the PEB) that overwrite arguments before execution resumes. Detection also includes observing anomalous behaviors from processes whose logged arguments do not align with executed activity (e.g., network connections, file writes, or registry modifications).

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Mutable Elements
Field Description
SuspendedProcessWindow Time window in which a process remains in suspended state before being modified. Tunable based on baseline activity in the environment.
SensitiveProcesses List of critical processes (e.g., explorer.exe, lsass.exe) where argument spoofing is highly suspicious. Can be customized per organization.
BehavioralCorrelationWindow Time span in which to correlate command-line inconsistencies with anomalous behavior such as network activity or registry modification.