T1564.010 Process Argument Spoofing
Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.12
Adversaries may manipulate a process PEB to evade defenses. For example, Process Hollowing can be abused to spawn a process in a suspended state with benign arguments. After the process is spawned and the PEB is initialized (and process information is potentially logged by tools/sensors), adversaries may override the PEB to modify the command-line arguments (ex: using the Native API WriteProcessMemory() function) then resume process execution with malicious arguments.324
Adversaries may also execute a process with malicious command-line arguments then patch the memory with benign arguments that may bypass subsequent process memory analysis.5
This behavior may also be combined with other tricks (such as Parent PID Spoofing) to manipulate or further evade process-based detections.
| Item | Value |
|---|---|
| ID | T1564.010 |
| Sub-techniques | T1564.001, T1564.002, T1564.003, T1564.004, T1564.005, T1564.006, T1564.007, T1564.008, T1564.009, T1564.010 |
| Tactics | TA0005 |
| Platforms | Windows |
| Permissions required | User |
| Version | 1.0 |
| Created | 19 November 2021 |
| Last Modified | 29 November 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0154 | Cobalt Strike | Cobalt Strike can use spoof arguments in spawned processes that execute beacon commands.7 |
| S0615 | SombRAT | SombRAT has the ability to modify its process memory to hide process command-line arguments.5 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0009 | Process | Process Creation |
References
-
Microsoft. (2021, October 6). PEB structure (winternl.h). Retrieved November 19, 2021. ↩
-
Chester, A. (2019, January 28). How to Argue like Cobalt Strike. Retrieved November 19, 2021. ↩↩
-
Mudge, R. (2019, January 2). https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/. Retrieved November 19, 2021. ↩
-
Daman, R. (2020, February 4). The return of the spoof part 2: Command line spoofing. Retrieved November 19, 2021. ↩
-
McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021. ↩↩
-
Pena, E., Erikson, C. (2019, October 10). Staying Hidden on the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021. ↩
-
Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. ↩