T1564.010 Process Argument Spoofing Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect Process Argument Spoofing (T1564.010)
// Primary signal: process injection-class API calls that enable PEB manipulation
// These APIs are required to write to a target process PEB after creation
//
// MDE captures WriteProcessMemory-pathway events via DeviceEvents ActionTypes

let KnownSecurityTools = dynamic([
    "MsMpEng.exe", "MsSense.exe", "SenseNdr.exe", "CylanceSvc.exe",
    "cb.exe", "cbdaemon.exe", "CSFalconService.exe", "SentinelAgent.exe",
    "CSFalcon.exe", "elastic-endpoint.exe"
]);

let LolbinTargets = dynamic([
    "svchost.exe", "rundll32.exe", "dllhost.exe", "regsvr32.exe",
    "msiexec.exe", "conhost.exe", "notepad.exe", "cmd.exe",
    "wscript.exe", "cscript.exe", "werfault.exe", "taskhost.exe",
    "taskhostw.exe", "backgroundtaskhost.exe"
]);

// Stage 1: Capture process injection-class events (enable PEB write access)
let InjectionEvents = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType in (
    "ProcessInjection",
    "CreateRemoteThreadApiCall",
    "NtAllocateVirtualMemoryRemoteApiCall",
    "SetThreadContextApiCall",
    "NtMapViewOfSectionRemoteApiCall"
)
| where InitiatingProcessFileName !in~ (KnownSecurityTools)
| extend Fields = parse_json(AdditionalFields)
| extend TargetProcessId = tolong(Fields.TargetProcessId)
| extend TargetProcessName = tostring(Fields.TargetProcessName)
| extend IsLolbinTarget = TargetProcessName has_any (LolbinTargets)
// Exclude injections from known-good system parents into their own children
| where not (
    InitiatingProcessFileName =~ "services.exe" and TargetProcessName =~ "svchost.exe"
)
| project Timestamp, DeviceName, AccountName,
          ActionType,
          InjectorProcess = InitiatingProcessFileName,
          InjectorCommandLine = InitiatingProcessCommandLine,
          InjectorPID = InitiatingProcessId,
          TargetProcess = TargetProcessName,
          TargetPID = TargetProcessId,
          IsLolbinTarget;

// Stage 2: Join to target process creation to expose the (potentially spoofed) command line
let RecentProcesses = DeviceProcessEvents
| where Timestamp > ago(24h)
| project DeviceName, ProcessId, SuspectedCommandLine = ProcessCommandLine,
          ProcessFileName = FileName, ProcessCreationTime = Timestamp;

InjectionEvents
| join kind=leftouter (
    RecentProcesses
) on DeviceName, $left.TargetPID == $right.ProcessId
| extend TimeDeltaSecs = datetime_diff("second", Timestamp, ProcessCreationTime)
// PEB spoofing occurs immediately after process creation (within seconds)
| extend IsEarlyInjection = (TimeDeltaSecs >= -2 and TimeDeltaSecs <= 30)
| extend SuspicionScore = toint(IsLolbinTarget) + toint(IsEarlyInjection)
         + iif(ActionType in ("SetThreadContextApiCall", "CreateRemoteThreadApiCall"), 1, 0)
| where SuspicionScore >= 1 or isempty(TimeDeltaSecs)
| project Timestamp, DeviceName, AccountName,
          ActionType,
          InjectorProcess, InjectorCommandLine, InjectorPID,
          TargetProcess, TargetPID,
          SuspectedSpoofedCommandLine = SuspectedCommandLine,
          TimeDeltaSecs, IsEarlyInjection, IsLolbinTarget, SuspicionScore
| sort by SuspicionScore desc, Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Process: Process Access Process: OS API Execution Microsoft Defender for Endpoint DeviceEvents Microsoft Defender for Endpoint DeviceProcessEvents

Required Tables

DeviceEvents DeviceProcessEvents

False Positives

Legitimate security and monitoring tools (AV, EDR agents) that use process injection or memory scanning to inspect process memory
Game anti-cheat software that injects into game processes using similar API patterns
Windows system processes: services.exe spawning svchost.exe children, csrss.exe internal operations, wininit.exe managing subsystem initialization
Debuggers and development tools (Visual Studio, WinDbg, x64dbg) that attach to processes and write memory during debugging sessions
IT management and RPA tools (UiPath, Automation Anywhere, some SCCM operations) that inject into processes for automation

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
    (EventCode=10 OR EventCode=8)

// ---- EventCode=10: ProcessAccess — filter to write-capable GrantedAccess values ----
// Values that include PROCESS_VM_WRITE (0x0020) and/or PROCESS_VM_OPERATION (0x0008)
// enabling WriteProcessMemory() calls needed to overwrite the PEB
| eval HasWriteAccess=if(
    EventCode=10 AND GrantedAccess IN (
        "0x1fffff", "0x001fffff",
        "0x1f3fff", "0x1f0fff",
        "0x143a",   "0x1438",   "0x143b",
        "0x0028",   "0x0038",   "0x003c",
        "0x0030",   "0x0020",   "0x0820"
    ), 1, 0
)

// ---- EventCode=8: CreateRemoteThread — always suspicious cross-process ----
| eval IsRemoteThread=if(EventCode=8, 1, 0)

| where HasWriteAccess=1 OR IsRemoteThread=1

// Normalize basenames for matching
| eval TargetBasename=lower(replace(TargetImage, ".*\\\\", ""))
| eval SourceBasename=lower(replace(SourceImage, ".*\\\\", ""))

// Filter out known security tool sources
| eval IsKnownSecTool=if(
    match(SourceBasename, "(?i)^(msmpeng|mssense|sensenir|sensedr|cylancesvc|cb\.exe|cbdaemon|csfalcon|sentinelagent|elastic.endpoint|carbonblack)"),
    1, 0
)
| where IsKnownSecTool=0

// Filter benign system self-injection: services.exe → svchost.exe
| where NOT (SourceBasename="services.exe" AND TargetBasename="svchost.exe")
| where NOT (SourceBasename="wininit.exe")
| where NOT (SourceBasename="csrss.exe")

// Detect LOLBin targets (high-value spoofing candidates)
| eval IsLolbinTarget=if(
    TargetBasename IN (
        "svchost.exe","rundll32.exe","dllhost.exe","regsvr32.exe",
        "msiexec.exe","conhost.exe","notepad.exe","cmd.exe",
        "wscript.exe","cscript.exe","werfault.exe","taskhostw.exe"
    ), 1, 0
)

// Detect suspicious source processes (Office apps, script hosts as injectors)
| eval IsSuspiciousSource=if(
    match(SourceBasename, "(?i)^(excel|winword|powerpnt|outlook|msaccess|onenote|mshta|wscript|cscript|msbuild|csc|installutil)\.exe$"),
    1, 0
)

// Cobalt Strike argument spoofing patterns: CallTrace showing direct syscalls or unbacked memory
| eval HasSuspiciousCallTrace=if(
    match(CallTrace, "(?i)(UNKNOWN|ntdll\.dll\+0x[0-9a-f]+\|UNKNOWN|\\\\Device\\\\HarddiskVolume[0-9]+\\\\Windows\\\\SYSTEM32\\\\ntdll)") AND
    NOT match(CallTrace, "(?i)\\\\WINDOWS\\\\System32\\\\"),
    1, 0
)

// Composite suspicion scoring
| eval SuspicionScore=HasWriteAccess + IsRemoteThread + IsLolbinTarget + IsSuspiciousSource + coalesce(HasSuspiciousCallTrace, 0)

| table _time, host, User, SourceBasename, SourceImage, SourceCommandLine,
        TargetBasename, TargetImage, GrantedAccess, CallTrace,
        EventCode, HasWriteAccess, IsRemoteThread, IsLolbinTarget,
        IsSuspiciousSource, SuspicionScore
| sort - SuspicionScore, - _time

high severity medium confidence

Data Sources

Process: Process Access Process: OS API Execution Sysmon EventCode 10 (ProcessAccess) Sysmon EventCode 8 (CreateRemoteThread)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Security and endpoint protection tools (AV, EDR, DLP) that require process memory access for scanning and protection
Anti-cheat software in gaming environments (EasyAntiCheat, BattlEye) that use cross-process memory access
Debuggers and profiling tools (WinDbg, Visual Studio Debugger, Intel VTune, Process Hacker) generating high volumes of process access events
Windows system operations: DWM compositing engine, accessibility tools (narrator.exe), COM+ infrastructure making cross-process calls
Some legitimate endpoint automation platforms using process injection for monitoring or telemetry collection

Elastic Security (EQL)

eql

process where event.type == "start" and
  (
    (process.name : ("CreateProcessW","CreateProcessA") and
     process.args_count > 0) or
    process.args : ("*NtCreateThreadEx*","*WriteProcessMemory*","*ZwCreateProcess*") or
    (process.parent.name : ("svchost.exe","services.exe","lsass.exe","winlogon.exe") and
     process.name : ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe",
                      "rundll32.exe","regsvr32.exe","mshta.exe") and
     process.args_count == 0)
  )

high severity medium confidence

Data Sources

Windows Process Events

Required Tables

logs-endpoint.events.process-*

False Positives

Legitimate security and monitoring tools (AV, EDR agents) that use process injection or memory scanning to inspect process memory
Game anti-cheat software that injects into game processes using similar API patterns
Windows system processes: services.exe spawning svchost.exe children, csrss.exe internal operations, wininit.exe managing subsystem initialization
Debuggers and development tools (Visual Studio, WinDbg, x64dbg) that attach to processes and write memory during debugging sessions
IT management and RPA tools (UiPath, Automation Anywhere, some SCCM operations) that inject into processes for automation

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "Image" as ProcessImage, "CommandLine" as CommandLine,
  "ParentImage" as ParentProcess, "ParentCommandLine" as ParentCmd,
  CASE WHEN LOWER("ParentImage") LIKE '%lsass.exe%' AND LOWER("Image") LIKE '%cmd.exe%' THEN 10
       WHEN ("CommandLine" IS NULL OR LENGTH("CommandLine") = 0)
            AND LOWER("Image") LIKE ANY ('%powershell%','%wscript%','%mshta%') THEN 9
       ELSE 6 END as RiskScore
FROM events
WHERE eventid IN (1, 4688)
  AND LOWER(coalesce("ParentImage","")) LIKE ANY
    ('%svchost.exe%','%services.exe%','%lsass.exe%','%winlogon.exe%')
  AND LOWER("Image") LIKE ANY
    ('%cmd.exe%','%powershell.exe%','%pwsh.exe%','%wscript.exe%','%cscript.exe%',
     '%rundll32.exe%','%regsvr32.exe%','%mshta.exe%')
  AND (LENGTH(coalesce("CommandLine","")) <= LENGTH("Image") + 5)
ORDER BY RiskScore DESC, EventTime DESC

high severity medium confidence

Data Sources

Windows Security Event Log Windows Sysmon

Required Tables

events

False Positives

Legitimate security and monitoring tools (AV, EDR agents) that use process injection or memory scanning to inspect process memory
Game anti-cheat software that injects into game processes using similar API patterns
Windows system processes: services.exe spawning svchost.exe children, csrss.exe internal operations, wininit.exe managing subsystem initialization
Debuggers and development tools (Visual Studio, WinDbg, x64dbg) that attach to processes and write memory during debugging sessions
IT management and RPA tools (UiPath, Automation Anywhere, some SCCM operations) that inject into processes for automation

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| json auto
| where EventID in ("1","4688")
| eval ParentLower = toLower(coalesce(ParentImage, ParentProcessName, ""))
| eval ImageLower = toLower(coalesce(Image, NewProcessName, ""))
| eval CmdLen = length(coalesce(CommandLine,""))
| eval ImageLen = length(coalesce(Image,""))
| where ParentLower matches ".*(svchost|services|lsass|winlogon)\.exe.*"
| where ImageLower matches ".*(cmd|powershell|pwsh|wscript|cscript|rundll32|regsvr32|mshta)\.exe.*"
| where CmdLen <= ImageLen + 5
| eval risk = if(ParentLower matches ".*lsass.*", "critical",
    if(ImageLower matches ".*(powershell|wscript|mshta).*", "high", "medium"))
| table _time, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, risk
| sort by _time desc

high severity medium confidence

Data Sources

Windows Sysmon via Sumo Logic Windows Security via Sumo Logic

Required Tables

windows/sysmon windows/security

False Positives

Legitimate security and monitoring tools (AV, EDR agents) that use process injection or memory scanning to inspect process memory
Game anti-cheat software that injects into game processes using similar API patterns
Windows system processes: services.exe spawning svchost.exe children, csrss.exe internal operations, wininit.exe managing subsystem initialization
Debuggers and development tools (Visual Studio, WinDbg, x64dbg) that attach to processes and write memory during debugging sessions
IT management and RPA tools (UiPath, Automation Anywhere, some SCCM operations) that inject into processes for automation

Google Chronicle / SecOps

yaral

rule process_argument_spoofing {
  meta:
    author = "Detection Engineering"
    description = "Detects process argument spoofing via trusted parent process anomalies (T1564.010)"
    severity = "HIGH"
    tactic = "TA0005"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.principal.process.file.full_path, `(?i)(svchost|services|lsass|winlogon)\.exe`) nocase
    re.regex($e.target.process.file.full_path, `(?i)(cmd|powershell|pwsh|wscript|cscript|rundll32|regsvr32|mshta)\.exe`) nocase
    $e.target.process.command_line = "" or not $e.target.process.command_line != ""

  condition:
    $e
}

high severity medium confidence

Data Sources

Windows Process Events via Chronicle UDM

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate security and monitoring tools (AV, EDR agents) that use process injection or memory scanning to inspect process memory
Game anti-cheat software that injects into game processes using similar API patterns
Windows system processes: services.exe spawning svchost.exe children, csrss.exe internal operations, wininit.exe managing subsystem initialization
Debuggers and development tools (Visual Studio, WinDbg, x64dbg) that attach to processes and write memory during debugging sessions
IT management and RPA tools (UiPath, Automation Anywhere, some SCCM operations) that inject into processes for automation

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ParentBaseFileName = /(svchost|services|lsass|winlogon)\.exe/i
| ImageFileName = /(cmd|powershell|pwsh|wscript|cscript|rundll32|regsvr32|mshta)\.exe$/i
| len(CommandLine) <= len(ImageFileName) + 5
| eval risk = case {
    ParentBaseFileName = /lsass\.exe/i : "critical";
    ImageFileName = /(powershell|wscript|mshta)\.exe$/i : "high";
    * : "medium"
  }
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, risk
| sort by timestamp desc

high severity medium confidence

Data Sources

CrowdStrike Falcon Process Events

Required Tables

ProcessRollup2

False Positives

Legitimate security and monitoring tools (AV, EDR agents) that use process injection or memory scanning to inspect process memory
Game anti-cheat software that injects into game processes using similar API patterns
Windows system processes: services.exe spawning svchost.exe children, csrss.exe internal operations, wininit.exe managing subsystem initialization
Debuggers and development tools (Visual Studio, WinDbg, x64dbg) that attach to processes and write memory during debugging sessions
IT management and RPA tools (UiPath, Automation Anywhere, some SCCM operations) that inject into processes for automation

Process Argument Spoofing

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections