GET /api/techniques/358/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 358,
"key": "process-argument-spoofing",
"unprotect_id": "U1243",
"name": "Process Argument Spoofing",
"description": "Process Argument Spoofing is a technique used by attackers to hide their true intentions by changing the command line arguments of a process after it has started.",
"windows": "This is done by tampering with the Process Environment Block (PEB).\r\n\r\nThe PEB is a structure in Windows that holds various information about a running process. Within the PEB, there's a specific section called `RTL_USER_PROCESS_PARAMETERS`. This section contains an attribute named CommandLine, which is structured as a `UNICODE_STRING`. The CommandLine attribute is crucial because it stores the command line arguments that were used to start the process.\r\n\r\nAttackers exploit this by modifying the CommandLine attribute's buffer. When they change the contents of this buffer, the command line arguments that are visible to monitoring tools and security analysts are altered. This means that even if a process was started with malicious intentions, the attackers can overwrite these initial arguments with harmless-looking ones. As a result, the process can appear legitimate to security systems and analysts, and potentially hiding the malicious activity.\r\n\r\nThe sophistication of Process Argument Spoofing lies in its ability to alter process information after the process has been created and initially inspected by security tools, making it a bit more challenging to detect.",
"linux": "`argv[0]` is the first argument on a process' command line, typically representing the name or path of the executable. For most processes, `argv[0]` can be set to an arbitrary value without it affecting the process flow.\r\n\r\n Detections relying on command-line arguments may, by manipulating `argv[0]`, be bypassed. For example:\r\n\r\n * Setting `argv[0]` to an empty string may bypass detections that look for the executable name in the command line component;\r\n * Similarly, by setting `argv[0]` to a different executable name, it may be possible to bypass detections, or fool security analysts by making them believe the command is doing something different;\r\n * By putting a very long string in `argv[0]`, it may be possible to 'hide' the actual command-line arguments at the very end; and,\r\n * By including known detection exclusions in `argv[0]`, it may be possible to prevent the alerting logic from triggering.",
"macos": "",
"resources": "https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/\r\nhttps://www.bordergate.co.uk/argument-spoofing/\r\nhttps://www.wietzebeukema.nl/blog/why-bother-with-argv0",
"creation_date": "2023-12-12T05:13:02.378000Z",
"tags": "Process Argument Spoofing, PEB Manipulation, Command Line Argument Tampering, Low-Level System Manipulation,",
"modification_date": "2024-11-18T09:56:34.544125Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
6,
357,
625
],
"contributors": [
30,
47
]
}
