Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0045: Detection Strategy for Process Argument Spoofing on Windows

DET0045 is a MITRE ATT&CK detection strategy associated with Process Argument Spoofing, a Windows stealth technique where process command-line arguments ma...

EnterpriseDET0045Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0045 is a MITRE ATT&CK detection strategy associated with Process Argument Spoofing, a Windows stealth technique where process command-line arguments may be hidden by overwriting process memory after process creation. The practical risk is that tools relying only on a single process-creation command line can preserve a misleading view of what actually ran, weakening triage, incident scoping, audit evidence, and detection fidelity.

Executive priority

Treat this as a visibility and evidence-quality issue for Windows monitoring. Security leaders should ask whether SOC and IR teams can trust command-line evidence when investigating suspicious process activity, and whether collection covers both process creation data and later memory/metadata discrepancies. This matters for incident decision-making because incomplete or stale command-line telemetry can delay containment, misclassify activity as benign, or weaken post-incident evidence.

Technical view

The supplied ATT&CK relationship links DET0045 to T1564.010 Process Argument Spoofing, which is described as a Windows stealth behavior involving process command-line arguments stored in the Process Environment Block. SOC and detection engineering teams should validate whether their Windows telemetry captures process creation details early enough and whether any available endpoint telemetry can identify inconsistencies between original process creation arguments and later process memory or process metadata views. Because the detection strategy object itself does not include official detection logic, tuning should be based on local sensor capabilities and confirmed ATT&CK context rather than assuming a specific analytic exists.

Likely telemetry

  • Windows process creation events with executable path, parent process, user, timestamp, and command-line arguments
  • Endpoint detection and response process telemetry that records command line at creation time
  • Telemetry or forensic artifacts that can inspect or compare process memory/PEB-derived command-line values
  • Parent-child process lineage and execution context for suspicious or inconsistent process behavior
  • Incident response memory acquisition or live response data when command-line integrity is in question

Detection direction

  • Validate whether command-line arguments are captured at process creation time, not only queried later from mutable process structures.
  • Look for discrepancies between original process creation telemetry and later reported command-line values where tooling supports comparison.
  • Prioritize coverage for Windows systems because the related ATT&CK technique is explicitly Windows-focused, even though the detection strategy object itself does not list platforms.
  • Tune detections with process lineage and user/context information to reduce false positives from legitimate tools that may present unusual or changing command-line views.
  • Document blind spots where sensors rely solely on PEB-derived command-line values or where memory inspection is unavailable.

Mitigation priorities

  • Establish reliable Windows process creation logging and retention as the baseline control priority.
  • Ensure endpoint tooling records immutable or early-captured command-line evidence where available, and confirm how it handles process memory changes.
  • Update IR playbooks to treat suspicious command-line evidence as potentially incomplete when Process Argument Spoofing is suspected.
  • Use defense-in-depth context such as parent process, user identity, file path, and execution timing rather than command line alone.
  • Maintain evidence-quality documentation for compliance and incident review showing what command-line data is collected, when it is captured, and known limitations.
Analyst notes and limits

The decision value of this object is not a specific rule but a coverage question: can the organization detect or investigate when Windows process arguments shown to defenders may no longer match what was originally executed? This is especially relevant for managed detection, incident response, and detection engineering teams that rely heavily on command-line telemetry for triage and scoping.

The detection strategy object has no official description, detection text, tactics, or platforms supplied. Platform and behavior context come from the relationship to T1564.010 Process Argument Spoofing, whose supplied description is truncated. Local validation is required to determine whether available sensors can compare process creation arguments with later memory-derived values.

Official MITRE ATT&CK definition

Detection Strategy for Process Argument Spoofing on Windows

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1564.010 Process Argument Spoofing Sub-technique This object detects Process Argument Spoofing.
Relationship explorer

All related ATT&CK context

detects · Technique T1564.010: Process Argument Spoofing Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
da8812ac42504a08...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle da8812ac4250…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0045
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use