T1564.010 IBM QRadar · QRadar

Detect Process Argument Spoofing in IBM QRadar

Adversaries may attempt to hide process command-line arguments by overwriting the Process Environment Block (PEB) in memory. The PEB is a Windows data structure that stores process metadata, including command-line arguments referenced at execution time. When a process is created, defensive tools and EDR sensors typically capture command-line arguments from the PEB at process creation. Adversaries exploit this monitoring window by first spawning a target process in a suspended state with innocuous-looking arguments (e.g., 'svchost.exe -k netsvcs'), allowing the arguments to be logged by monitoring tools. While the process is suspended, the adversary uses the WriteProcessMemory() Windows API — accessed via NtWriteVirtualMemory — to overwrite the RTL_USER_PROCESS_PARAMETERS structure inside the PEB with malicious arguments. The process is then resumed, executing with the malicious payload while all telemetry shows only the spoofed benign arguments. Cobalt Strike implements this capability as the 'argue' feature, allowing operators to mask beacon-spawned process arguments. SombRAT uses the same mechanism to hide its own command-line parameters from post-execution memory analysis. This technique is commonly chained with Parent PID Spoofing (T1134.004) to further blend injected processes into the legitimate process tree.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1564 Hide Artifacts
Sub-technique
T1564.010 Process Argument Spoofing
Canonical reference
https://attack.mitre.org/techniques/T1564/010/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "Image" as ProcessImage, "CommandLine" as CommandLine,
  "ParentImage" as ParentProcess, "ParentCommandLine" as ParentCmd,
  CASE WHEN LOWER("ParentImage") LIKE '%lsass.exe%' AND LOWER("Image") LIKE '%cmd.exe%' THEN 10
       WHEN ("CommandLine" IS NULL OR LENGTH("CommandLine") = 0)
            AND LOWER("Image") LIKE ANY ('%powershell%','%wscript%','%mshta%') THEN 9
       ELSE 6 END as RiskScore
FROM events
WHERE eventid IN (1, 4688)
  AND LOWER(coalesce("ParentImage","")) LIKE ANY
    ('%svchost.exe%','%services.exe%','%lsass.exe%','%winlogon.exe%')
  AND LOWER("Image") LIKE ANY
    ('%cmd.exe%','%powershell.exe%','%pwsh.exe%','%wscript.exe%','%cscript.exe%',
     '%rundll32.exe%','%regsvr32.exe%','%mshta.exe%')
  AND (LENGTH(coalesce("CommandLine","")) <= LENGTH("Image") + 5)
ORDER BY RiskScore DESC, EventTime DESC
high severity medium confidence

Detects process argument spoofing by identifying suspicious processes with minimal/empty command lines spawned from trusted system processes in QRadar.

Data Sources

Windows Security Event LogWindows Sysmon

Required Tables

events

False Positives & Tuning

  • Legitimate security and monitoring tools (AV, EDR agents) that use process injection or memory scanning to inspect process memory
  • Game anti-cheat software that injects into game processes using similar API patterns
  • Windows system processes: services.exe spawning svchost.exe children, csrss.exe internal operations, wininit.exe managing subsystem initialization
  • Debuggers and development tools (Visual Studio, WinDbg, x64dbg) that attach to processes and write memory during debugging sessions
  • IT management and RPA tools (UiPath, Automation Anywhere, some SCCM operations) that inject into processes for automation
Download portable Sigma rule (.yml)

Other platforms for T1564.010

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PEB Argument Spoofing via PowerShell P/Invoke WriteProcessMemory

    Expected signal: Sysmon Event ID 1: Process Create for notepad.exe with CommandLine='notepad.exe legitimate-document.txt' (the spoofed benign argument — this is what SIEM captures). Sysmon Event ID 10: ProcessAccess from powershell.exe targeting notepad.exe PID with GrantedAccess=0x1fffff. Security Event ID 4688 (if command line auditing enabled): shows same benign argument. Memory forensics on the notepad.exe process after the call will show 'malicious-payload --connect 192.0.2.1:4444' in the PEB RTL_USER_PROCESS_PARAMETERS.CommandLine.Buffer.

  2. Test 2Process Hollowing with Argument Spoofing using Sysinternals Procdump Validation

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine='cmd.exe /c echo legitimate-task'. Sysmon Event ID 10: ProcessAccess from the PowerShell parent process to the spawned cmd.exe PID during the 3-second suspension window with GrantedAccess reflecting the handle used in CreateProcess (typically 0x1fffff for the hProcess handle). Security Event 4688 captures creation time. The 3-second gap between creation and resume is the PEB modification window — during this period, a real attacker would be calling WriteProcessMemory.

  3. Test 3Cobalt Strike Argue Simulation using AtomicTestHarnesses

    Expected signal: Sysmon Event ID 1: Process Create for notepad.exe with CommandLine containing the decoy 'C:\Users\Public\legit.txt' — this is the argument visible in all SIEM logs. Sysmon Event ID 10: ProcessAccess from the test harness process to notepad.exe with GrantedAccess=0x1fffff during the modification window. The TestSuccess field from Invoke-ATHProcessArgSpoofing confirms the PEB was successfully modified — the in-memory CommandLine buffer now contains 'malicious-payload.exe --backdoor' while the process creation log shows only the decoy.

  4. Test 4Manual PEB Inspection with WinDbg to Validate Spoofing Artifact

    Expected signal: Sysmon Event ID 1: Process Create for calc.exe with logged CommandLine. If CDB attaches: Sysmon Event ID 10 with SourceImage=cdb.exe and GrantedAccess reflecting debug access (0x1fffff or 0x0410). The !peb WinDbg output shows the RTL_USER_PROCESS_PARAMETERS structure including the CommandLine unicode string — in a spoofed process, this value would differ from the Win32_Process.CommandLine WMI query (which reads from the PEB at query time and may reflect the post-modification value) versus Sysmon/4688 logged at creation time.

Last updated: 2026-03-12 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1564.010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1564Hide Artifacts

Related Sub-techniques

T1564.001Hidden Files and DirectoriesT1564.002Hidden UsersT1564.003Hidden WindowT1564.004NTFS File AttributesT1564.005Hidden File SystemT1564.006Run Virtual InstanceT1564.007VBA StompingT1564.008Email Hiding RulesT1564.009Resource ForkingT1564.011Ignore Process InterruptsT1564.012File/Path ExclusionsT1564.013Bind MountsT1564.014Extended Attributes

Related Techniques

T1564Hide ArtifactsT1055Process InjectionT1055.012Process HollowingT1134.004Parent PID SpoofingT1106Native APIT1036.005Match Legitimate Resource Name or LocationT1059.003Windows Command ShellT1027Obfuscated Files or InformationT1543.003Windows Service

Same Tactic: Defense Evasion

Popular Detections