Command-line Argument Spoofing

View Command-line Argument Configured for Spoofing

An operator can check the argument process configured for command-line argument spoofing using the get_argument command.

Change Command-line Argument Configured for Spoofing

To change the command-line argument, use the set_argument command. There is no default argument configured for spoofing. When you configure the argument, only normal process creations (non-fork & run) will be affected by this. This command modifies the Process Environment Block (PEB) struct of the newly created process and changes the command line arguments which reside in the RTL_USER_PROCESS_PARAMETERS struct. It uses ReadProcessMemory and WriteProcessMemory to rewrite this block of data with our spoofed argument. This command only affects the run command, and does not affect child processes created during reflective injections. This command can also be used with spoofed parent process Id. The help set_argument command returns Affected Commands which specify the list of commands which will be affected by set_argument.

After spoofing the command-line argument, the Windows Event logs (Sysmon) should show powershell.exe executed with our spoofed argument echo $psversiontable.

Disable Command-line Argument Spoofing

To disable command-line argument spoofing, use the clear_argument command.