1. Home
  2. Techniques
  3. Enterprise
  4. Hide Artifacts
  5. Process Argument Spoofing

Hide Artifacts: Process Argument Spoofing

ID Name
T1564.001 Hidden Files and Directories
T1564.002 Hidden Users
T1564.003 Hidden Window
T1564.004 NTFS File Attributes
T1564.005 Hidden File System
T1564.006 Run Virtual Instance
T1564.007 VBA Stomping
T1564.008 Email Hiding Rules
T1564.009 Resource Forking
T1564.010 Process Argument Spoofing

Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.[1][2]

Adversaries may manipulate a process PEB to evade defenses. For example, Process Hollowing can be abused to spawn a process in a suspended state with benign arguments. After the process is spawned and the PEB is initialized (and process information is potentially logged by tools/sensors), adversaries may override the PEB to modify the command-line arguments (ex: using the Native API WriteProcessMemory() function) then resume process execution with malicious arguments.[3][2][4]

Adversaries may also execute a process with malicious command-line arguments then patch the memory with benign arguments that may bypass subsequent process memory analysis.[5]

This behavior may also be combined with other tricks (such as Parent PID Spoofing) to manipulate or further evade process-based detections.

ID: T1564.010
Sub-technique of:  T1564
Tactic: Defense Evasion
Platforms: Windows
Permissions Required: User
Version: 1.0
Created: 19 November 2021
Last Modified: 29 November 2021

Procedure Examples

ID Name Description
S0154 Cobalt Strike

Cobalt Strike can use spoof arguments in spawned processes that execute beacon commands.[6]
S0615 SombRAT

SombRAT has the ability to modify its process memory to hide process command-line arguments.[5]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Detection of process argument spoofing may be difficult as adversaries may momentarily modify stored arguments used for malicious execution. These changes may bypass process creation detection and/or later process memory analysis. Consider monitoring for Process Hollowing, which includes monitoring for process creation (especially those in a suspended state) as well as access and/or modifications of these processes (especially by the parent process) via Windows API calls.[4][7]

Analyze process behavior to determine if a process is performing actions it usually does not and/or do no align with its logged command-line arguments.

References

  1. Microsoft. (2021, October 6). PEB structure (winternl.h). Retrieved November 19, 2021.
  2. Chester, A. (2019, January 28). How to Argue like Cobalt Strike. Retrieved November 19, 2021.
  3. Mudge, R. (2019, January 2). https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/. Retrieved November 19, 2021.
  4. Daman, R. (2020, February 4). The return of the spoof part 2: Command line spoofing. Retrieved November 19, 2021.
  1. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
  2. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  3. Pena, E., Erikson, C. (2019, October 10). Staying Hidden on the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.