Skip to content

T1564.010 Process Argument Spoofing

Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.12

Adversaries may manipulate a process PEB to evade defenses. For example, Process Hollowing can be abused to spawn a process in a suspended state with benign arguments. After the process is spawned and the PEB is initialized (and process information is potentially logged by tools/sensors), adversaries may override the PEB to modify the command-line arguments (ex: using the Native API WriteProcessMemory() function) then resume process execution with malicious arguments.324

Adversaries may also execute a process with malicious command-line arguments then patch the memory with benign arguments that may bypass subsequent process memory analysis.5

This behavior may also be combined with other tricks (such as Parent PID Spoofing) to manipulate or further evade process-based detections.

Item Value
ID T1564.010
Sub-techniques T1564.001, T1564.002, T1564.003, T1564.004, T1564.005, T1564.006, T1564.007, T1564.008, T1564.009, T1564.010
Tactics TA0005
Platforms Windows
Permissions required User
Version 1.0
Created 19 November 2021
Last Modified 29 November 2021

Procedure Examples

ID Name Description
S0154 Cobalt Strike Cobalt Strike can use spoof arguments in spawned processes that execute beacon commands.7
S0615 SombRAT SombRAT has the ability to modify its process memory to hide process command-line arguments.5


Back to top