Detect Process Argument Spoofing in Microsoft Sentinel
Adversaries may attempt to hide process command-line arguments by overwriting the Process Environment Block (PEB) in memory. The PEB is a Windows data structure that stores process metadata, including command-line arguments referenced at execution time. When a process is created, defensive tools and EDR sensors typically capture command-line arguments from the PEB at process creation. Adversaries exploit this monitoring window by first spawning a target process in a suspended state with innocuous-looking arguments (e.g., 'svchost.exe -k netsvcs'), allowing the arguments to be logged by monitoring tools. While the process is suspended, the adversary uses the WriteProcessMemory() Windows API — accessed via NtWriteVirtualMemory — to overwrite the RTL_USER_PROCESS_PARAMETERS structure inside the PEB with malicious arguments. The process is then resumed, executing with the malicious payload while all telemetry shows only the spoofed benign arguments. Cobalt Strike implements this capability as the 'argue' feature, allowing operators to mask beacon-spawned process arguments. SombRAT uses the same mechanism to hide its own command-line parameters from post-execution memory analysis. This technique is commonly chained with Parent PID Spoofing (T1134.004) to further blend injected processes into the legitimate process tree.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.010 Process Argument Spoofing
- Canonical reference
- https://attack.mitre.org/techniques/T1564/010/
KQL Detection Query
// Detect Process Argument Spoofing (T1564.010)
// Primary signal: process injection-class API calls that enable PEB manipulation
// These APIs are required to write to a target process PEB after creation
//
// MDE captures WriteProcessMemory-pathway events via DeviceEvents ActionTypes
let KnownSecurityTools = dynamic([
"MsMpEng.exe", "MsSense.exe", "SenseNdr.exe", "CylanceSvc.exe",
"cb.exe", "cbdaemon.exe", "CSFalconService.exe", "SentinelAgent.exe",
"CSFalcon.exe", "elastic-endpoint.exe"
]);
let LolbinTargets = dynamic([
"svchost.exe", "rundll32.exe", "dllhost.exe", "regsvr32.exe",
"msiexec.exe", "conhost.exe", "notepad.exe", "cmd.exe",
"wscript.exe", "cscript.exe", "werfault.exe", "taskhost.exe",
"taskhostw.exe", "backgroundtaskhost.exe"
]);
// Stage 1: Capture process injection-class events (enable PEB write access)
let InjectionEvents = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType in (
"ProcessInjection",
"CreateRemoteThreadApiCall",
"NtAllocateVirtualMemoryRemoteApiCall",
"SetThreadContextApiCall",
"NtMapViewOfSectionRemoteApiCall"
)
| where InitiatingProcessFileName !in~ (KnownSecurityTools)
| extend Fields = parse_json(AdditionalFields)
| extend TargetProcessId = tolong(Fields.TargetProcessId)
| extend TargetProcessName = tostring(Fields.TargetProcessName)
| extend IsLolbinTarget = TargetProcessName has_any (LolbinTargets)
// Exclude injections from known-good system parents into their own children
| where not (
InitiatingProcessFileName =~ "services.exe" and TargetProcessName =~ "svchost.exe"
)
| project Timestamp, DeviceName, AccountName,
ActionType,
InjectorProcess = InitiatingProcessFileName,
InjectorCommandLine = InitiatingProcessCommandLine,
InjectorPID = InitiatingProcessId,
TargetProcess = TargetProcessName,
TargetPID = TargetProcessId,
IsLolbinTarget;
// Stage 2: Join to target process creation to expose the (potentially spoofed) command line
let RecentProcesses = DeviceProcessEvents
| where Timestamp > ago(24h)
| project DeviceName, ProcessId, SuspectedCommandLine = ProcessCommandLine,
ProcessFileName = FileName, ProcessCreationTime = Timestamp;
InjectionEvents
| join kind=leftouter (
RecentProcesses
) on DeviceName, $left.TargetPID == $right.ProcessId
| extend TimeDeltaSecs = datetime_diff("second", Timestamp, ProcessCreationTime)
// PEB spoofing occurs immediately after process creation (within seconds)
| extend IsEarlyInjection = (TimeDeltaSecs >= -2 and TimeDeltaSecs <= 30)
| extend SuspicionScore = toint(IsLolbinTarget) + toint(IsEarlyInjection)
+ iif(ActionType in ("SetThreadContextApiCall", "CreateRemoteThreadApiCall"), 1, 0)
| where SuspicionScore >= 1 or isempty(TimeDeltaSecs)
| project Timestamp, DeviceName, AccountName,
ActionType,
InjectorProcess, InjectorCommandLine, InjectorPID,
TargetProcess, TargetPID,
SuspectedSpoofedCommandLine = SuspectedCommandLine,
TimeDeltaSecs, IsEarlyInjection, IsLolbinTarget, SuspicionScore
| sort by SuspicionScore desc, Timestamp descDetects process argument spoofing by identifying injection-class API calls in Microsoft Defender for Endpoint (MDE) DeviceEvents that are prerequisites for PEB manipulation. Specifically monitors for ProcessInjection, CreateRemoteThreadApiCall, NtAllocateVirtualMemoryRemoteApiCall, SetThreadContextApiCall, and NtMapViewOfSectionRemoteApiCall actions originating from non-security-tool processes targeting common LOLBin processes. Joins to DeviceProcessEvents to surface the (potentially spoofed) command line logged at process creation. A small TimeDelta between process creation and injection is a key indicator — PEB modification for argument spoofing must occur before the process resumes execution, typically within seconds of creation.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate security and monitoring tools (AV, EDR agents) that use process injection or memory scanning to inspect process memory
- Game anti-cheat software that injects into game processes using similar API patterns
- Windows system processes: services.exe spawning svchost.exe children, csrss.exe internal operations, wininit.exe managing subsystem initialization
- Debuggers and development tools (Visual Studio, WinDbg, x64dbg) that attach to processes and write memory during debugging sessions
- IT management and RPA tools (UiPath, Automation Anywhere, some SCCM operations) that inject into processes for automation
Other platforms for T1564.010
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PEB Argument Spoofing via PowerShell P/Invoke WriteProcessMemory
Expected signal: Sysmon Event ID 1: Process Create for notepad.exe with CommandLine='notepad.exe legitimate-document.txt' (the spoofed benign argument — this is what SIEM captures). Sysmon Event ID 10: ProcessAccess from powershell.exe targeting notepad.exe PID with GrantedAccess=0x1fffff. Security Event ID 4688 (if command line auditing enabled): shows same benign argument. Memory forensics on the notepad.exe process after the call will show 'malicious-payload --connect 192.0.2.1:4444' in the PEB RTL_USER_PROCESS_PARAMETERS.CommandLine.Buffer.
- Test 2Process Hollowing with Argument Spoofing using Sysinternals Procdump Validation
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine='cmd.exe /c echo legitimate-task'. Sysmon Event ID 10: ProcessAccess from the PowerShell parent process to the spawned cmd.exe PID during the 3-second suspension window with GrantedAccess reflecting the handle used in CreateProcess (typically 0x1fffff for the hProcess handle). Security Event 4688 captures creation time. The 3-second gap between creation and resume is the PEB modification window — during this period, a real attacker would be calling WriteProcessMemory.
- Test 3Cobalt Strike Argue Simulation using AtomicTestHarnesses
Expected signal: Sysmon Event ID 1: Process Create for notepad.exe with CommandLine containing the decoy 'C:\Users\Public\legit.txt' — this is the argument visible in all SIEM logs. Sysmon Event ID 10: ProcessAccess from the test harness process to notepad.exe with GrantedAccess=0x1fffff during the modification window. The TestSuccess field from Invoke-ATHProcessArgSpoofing confirms the PEB was successfully modified — the in-memory CommandLine buffer now contains 'malicious-payload.exe --backdoor' while the process creation log shows only the decoy.
- Test 4Manual PEB Inspection with WinDbg to Validate Spoofing Artifact
Expected signal: Sysmon Event ID 1: Process Create for calc.exe with logged CommandLine. If CDB attaches: Sysmon Event ID 10 with SourceImage=cdb.exe and GrantedAccess reflecting debug access (0x1fffff or 0x0410). The !peb WinDbg output shows the RTL_USER_PROCESS_PARAMETERS structure including the CommandLine unicode string — in a spoofed process, this value would differ from the Win32_Process.CommandLine WMI query (which reads from the PEB at query time and may reflect the post-modification value) versus Sysmon/4688 logged at creation time.
References (10)
- https://attack.mitre.org/techniques/T1564/010/
- https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb
- https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/
- https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/
- https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/
- https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html
- https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.010/T1564.010.md
- https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-writeprocessmemory
- https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-rtl_user_process_parameters
Unlock Pro Content
Get the full detection package for T1564.010 including response playbook, investigation guide, and atomic red team tests.