Inconsistencies between process command-line arguments logged at creation time and subsequent process behavior. Defender perspective: monitoring for processes launched in a suspended state, followed by memory modifications (e.g., WriteProcessMemory targeting the PEB) that overwrite arguments before execution resumes. Detection also includes observing anomalous behaviors from processes whose logged arguments do not align with executed activity (e.g., network connections, file writes, or registry modifications).
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Field | Description |
|---|---|
| SuspendedProcessWindow | Time window in which a process remains in suspended state before being modified. Tunable based on baseline activity in the environment. |
| SensitiveProcesses | List of critical processes (e.g., explorer.exe, lsass.exe) where argument spoofing is highly suspicious. Can be customized per organization. |
| BehavioralCorrelationWindow | Time span in which to correlate command-line inconsistencies with anomalous behavior such as network activity or registry modification. |