LOLSpoof is a an interactive shell program that automatically spoof the command line arguments of the spawned process. Just call your incriminate-looking command line LOLBin (e.g.
powershell -w hidden -enc ZwBlAHQALQBwAHIAbwBjAGUA....) and LOLSpoof will ensure that the process creation telemetry appears legitimate and clear.
Process command line is a very monitored telemetry, being thoroughly inspected by AV/EDRs, SOC analysts or threat hunters.
- Prepares the spoofed command line out of the real one:
lolbin.exe " " * sizeof(real arguments)
- Spawns that suspended LOLBin with the spoofed command line
- Gets the remote PEB address
- Gets the address of RTL_USER_PROCESS_PARAMETERS struct
- Gets the address of the command line unicode buffer
- Overrides the fake command line with the real one
- Resumes the main thread
Although this simple technique helps to bypass command line detection, it may introduce other suspicious telemetry:
- Creation of suspended process
- The new process has trailing spaces (but it’s really easy to make it a repeated character or even random data instead)
- Write to the spawned process with WriteProcessMemory