Description
Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)
Adversaries may manipulate a process PEB to evade defenses. For example, Process Hollowing can be abused to spawn a process in a suspended state with benign arguments. After the process is spawned and the PEB is initialized (and process information is potentially logged by tools/sensors), adversaries may override the PEB to modify the command-line arguments (ex: using the Native API WriteProcessMemory() function) then resume process execution with malicious arguments.(Citation: Cobalt Strike Arguments 2019)(Citation: Xpn Argue Like Cobalt 2019)(Citation: Nviso Spoof Command Line 2020)
Adversaries may also execute a process with malicious command-line arguments then patch the memory with benign arguments that may bypass subsequent process memory analysis.(Citation: FireEye FiveHands April 2021)
This behavior may also be combined with other tricks (such as Parent PID Spoofing) to manipulate or further evade process-based detections.
Platforms
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can use spoof arguments in spawned processes that execute beacon commands.(Citation: Cobalt S... |
| S0615 | SombRAT | Malware | [SombRAT](https://attack.mitre.org/software/S0615) has the ability to modify its process memory to hide process command-line arguments.(Citation: Fire... |
References
- Chester, A. (2019, January 28). How to Argue like Cobalt Strike. Retrieved November 19, 2021.
- Daman, R. (2020, February 4). The return of the spoof part 2: Command line spoofing. Retrieved November 19, 2021.
- McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
- Microsoft. (2021, October 6). PEB structure (winternl.h). Retrieved November 19, 2021.
- Mudge, R. (2019, January 2). https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/. Retrieved November 19, 2021.
Frequently Asked Questions
What is T1564.010 (Process Argument Spoofing)?
T1564.010 is a MITRE ATT&CK technique named 'Process Argument Spoofing'. It belongs to the Stealth tactic(s). Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by...
How can T1564.010 be detected?
Detection of T1564.010 (Process Argument Spoofing) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1564.010?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1564.010?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.