LOLSpoof: An interactive shell to spoof some LOLBins command line
LOLSpoof
LOLSpoof is an interactive shell program that automatically spoofs the command line arguments of the spawned process. Just call your incriminate-looking command line LOLBin (e.g. powershell -w hidden -enc ZwBlAHQALQBwAHIAbwBjAGUA….) and LOLSpoof will ensure that the process creation telemetry appears legitimate and clear.
Why
Process command line is a very monitored telemetry, being thoroughly inspected by AV/EDRs, SOC analysts, or threat hunters.
How
- Prepares the spoofed command line out of the real one: lolbin.exe ” ” * sizeof(real arguments)
- Spawns that suspended LOLBin with the spoofed command line
- Gets the remote PEB address
- Gets the address of the RTL_USER_PROCESS_PARAMETERS struct
- Gets the address of the command line unicode buffer
- Overrides the fake command line with the real one
- Resumes the main thread
Opsec considerations
Although this simple technique helps to bypass command line detection, it may introduce other suspicious telemetry:
- Creation of suspended process
- The new process has trailing spaces (but it’s really easy to make it a repeated character or even random data instead)
- Write to the spawned process with WriteProcessMemory
