Spoof Process Arguments
Each Beacon has an internal list of commands it should spoof arguments for. When Beacon runs a command that matches a list, Beacon:
-
Starts the matched process in a suspended state (with the fake arguments)
-
Updates the process memory with the real arguments
-
Resumes the process
The effect is that host instrumentation recording a process launch will see the fake arguments. This helps mask your real activity.
Use argue [command] [fake arguments] to add a command to this internal list. The [command] portion may contain an environment variable. Use argue [command] to remove a command from this internal list. argue, by itself, lists the commands in this internal list.
The process match logic is exact. If Beacon tries to launch “net.exe”, it will not match net, NET.EXE, or c:\windows\system32\net.exe from its internal list. It will only match net.exe.
x86 Beacon can only spoof arguments in x86 child processes. Likewise, x64 Beacon can only spoof arguments in x64 child processes.
The real arguments are written to the memory space that holds the fake arguments. If the real arguments are longer than the fake arguments, the command launch will fail.