{
	"id": "d88d490a-a72d-4209-8d51-d8d34dfa0d94",
	"created_at": "2026-04-06T00:13:00.792078Z",
	"updated_at": "2026-04-10T03:22:12.16054Z",
	"deleted_at": null,
	"sha1_hash": "f8cff53d36dfbf9820cedf2fbebae13a4186991a",
	"title": "The return of the spoof part 2: Command line spoofing",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 111340,
	"plain_text": "The return of the spoof part 2: Command line spoofing\r\nBy NVISO\r\nPublished: 2020-02-04 · Archived: 2026-04-05 14:13:01 UTC\r\nA few days ago I wrote a blog post about the evolving landscape of threat detection and how attackers need to\r\nadapt their techniques. In the previous post, I talked about one of the deception techniques that attackers are now\r\nusing, called parent process ID spoofing. In this blog post, I’ll talk about another deception technique that goes\r\nhand in hand with the parent PID spoofing technique, which is called “command line spoofing”.\r\nWhat is command line spoofing and why is it deceptive?\r\nCommand line spoofing is a technique that spawns a process with fake arguments and overrides those arguments\r\nat execution time. The way this works is an attacker will use a technique called process hollowing. Process\r\nhollowing spawns a process in a suspended state, which is done using legitimate Windows API calls.\r\nTell me more about these Windows API calls!\r\nSpecifically, the CreateProcessA function is used for this. One of the parameters in this function is the\r\ndwCreationFlags argument, which has a value called “CREATE_SUSPENDED”. If a process is spawned with this\r\nflag, it gets launched in a suspended state, and will not run until the ResumeThread fuction is called. This provides\r\nthe unique opportunity for any malicious actor to spawn a completely harmless process, without it actually\r\nexecuting. This in itself is enough to fool any endpoint protection that checks process creation for malicious\r\nbehavior. Sysmon for example will be completely fooled with this technique.\r\nA high level overview of command line argument spoofing\r\nhttps://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/\r\nPage 1 of 3\n\nSo, how does an attacker abuse this suspended process?\r\nOnce the process is spawned in a suspended state, an attacker will look for the process in memory. The way this\r\nusually happens is by querying the PEB (Process Environment Block). The PEB is a data structure that holds all\r\nthe information of the current process (every process has a PEB). Once the correct PEB is found in the Windows\r\nmemory, the arguments get updated to the malicious arguments and the process is resumed, resulting in executing\r\nthe malicious code.\r\nThat sounds serious once again! How can we detect it?\r\nGood news! If an attacker only did the above steps, tools like process hacker and process explorer will catch this\r\ntechnique. This is because process hacker and process explorer actually retrieve a copy of the PEB each time the\r\nprocess is inspected, meaning that our spoofed arguments are revealed.\r\nAdam Chester Found a way to bypass process explorer and process hacker monitoring mechanisms. I’ll explain it\r\nhere briefly:\r\nPEB stores command line arguments in a UNICODE_STRING structure.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\ntypedef struct _RTL_USER_PROCESS_PARAMETERS {\r\nBYTE Reserved1[16];\r\nPVOID Reserved2[10];\r\nUNICODE_STRING ImagePathName;\r\nUNICODE_STRING CommandLine;\r\n} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;\r\nThe UNICODE_STRING structure looks like this:\r\n1\r\n2\r\n3\r\n4\r\n5\r\ntypedef struct _UNICODE_STRING {\r\nUSHORT Length;\r\nUSHORT MaximumLength;\r\nPWSTR Buffer;\r\n} UNICODE_STRING, *PUNICODE_STRING;\r\nWhen an attacker sets a length that is less than the buffer, process hacker and process explorer will terminate the\r\n“commandline” argument at the length of the unicode_string. The actual process however, will use the buffer\r\nhttps://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/\r\nPage 2 of 3\n\nparameter and will thus execute the full buffer. This allows attackers to spawn processes that will fool even\r\nprocess hacker and process explorer!\r\nSo how do we detect this process explorer/ process hacker bypassing behavior?\r\nAt the time of writing, I have not found a foolproof way of detecting this behavior. Sysmon (and most likely other\r\nEDR solutions) still logs the fact that the process is making a network connection and, shortly after, spawning\r\nanother process (most of the time a reverse shell, or a malicious executable). This could also be considered as a\r\nsuspicious behavior to raise alerts on.\r\nNote: sysmonx claims to have detection capabilities for this technique. However when I tried to compile\r\nsysmonx, a lot of build errors appeared. I can only assume sysmonx is still a work in progress, but it might be\r\nworth keeping an eye on.\r\nConclusion\r\nThis concludes my two blog posts about deception techniques used in the wild. As you can see when these two\r\nconcepts are paired with each other, they can make the defender’s life a lot more difficult. It’s pretty hard to detect\r\nthese deception techniques at scale because of the enormous amount of logging that would be required. The\r\ndetection techniques are also prone to false positives so it’s hard to distinguish the malicious activities from the\r\nfalse positives.\r\nI have written four example scenarios, available over at GitHub, should you want to try them out for yourself. It is\r\nworth mentioning that cmd and powershell are just example scenarios, any valid command can get executed using\r\nthis method.\r\nShould you have knowledge of a robust and mature tool that can detect this technique from a blue perspective, feel\r\nfree to reach out by commenting on this blog post!\r\nAbout the author\r\nJean-François Maes is a red teaming and social engineering expert working in the NVISO Cyber Resilience\r\nteam. When he is not working, you can probably find Jean-François in the Gym or conducting research. You can\r\nfind Jean-François on LinkedIn.\r\nPublished February 4, 2020December 8, 2021\r\nPost navigation\r\nSource: https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/\r\nhttps://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/"
	],
	"report_names": [
		"the-return-of-the-spoof-part-2-command-line-spoofing"
	],
	"threat_actors": [],
	"ts_created_at": 1775434380,
	"ts_updated_at": 1775791332,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f8cff53d36dfbf9820cedf2fbebae13a4186991a.pdf",
		"text": "https://archive.orkl.eu/f8cff53d36dfbf9820cedf2fbebae13a4186991a.txt",
		"img": "https://archive.orkl.eu/f8cff53d36dfbf9820cedf2fbebae13a4186991a.jpg"
	}
}