Process Argument Spoofing

Created the Tuesday 12 December 2023. Updated 4 months ago.

Process Argument Spoofing is a technique used by attackers to hide their true intentions by changing the command line arguments of a process after it has started. This is done by tampering with the Process Environment Block (PEB).

The PEB is a structure in Windows that holds various information about a running process. Within the PEB, there's a specific section called RTL_USER_PROCESS_PARAMETERS. This section contains an attribute named CommandLine, which is structured as a UNICODE_STRING. The CommandLine attribute is crucial because it stores the command line arguments that were used to start the process.

Attackers exploit this by modifying the CommandLine attribute's buffer. When they change the contents of this buffer, the command line arguments that are visible to monitoring tools and security analysts are altered. This means that even if a process was started with malicious intentions, the attackers can overwrite these initial arguments with harmless-looking ones. As a result, the process can appear legitimate to security systems and analysts, and potentially hiding the malicious activity.

The sophistication of Process Argument Spoofing lies in its ability to alter process information after the process has been created and initially inspected by security tools, making it a bit more challenging to detect.

Featured Windows API's

Below, you will find a list of the most commonly used Windows API's that are currently utilized by malware authors for current evasion technique. This list is meant to provide an overview of the API's that are commonly used for this purpose. If there are any API's that you feel should be included on this list, please do not hesitate to contact us. We will be happy to update the list and provide any additional information or documentation that may be helpful.


Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Sleeping Alien

Subscribe to our Newsletter

Don't miss out on the latest and greatest updates from us! Subscribe to our newsletter and be the first to know about exciting content and future updates.