Windows Process Command Line Spoofing Through Symbolic Link

   March 8, 2026  Posted in zerosalarium
Share: XFacebookPinterestRedditVKDiggLinkedinMix


I. INTRODUCTION

Endpoint Detection & Response (EDR) systems often use the
ProcessParameters field of the
Process Environment Block (PEB) to retrieve information about the path
and name of the executable image that initiated the process, along with any
arguments passed to it.

By faking the “CommandLine” field of the process, we can somewhat
confuse the log analysis system, making it easier to conceal activities on the
target machine more discreetly.

Modern EDRs and antivirus solutions will show no mercy to your process if you
attempt to overwrite the Process Environment Block (PEB) right after initialization. Therefore, you need to find a way to slip
through this narrow gap.

In this article, I will experiment with faking the image file path in the
CommandLine” of the process by using a Symbolic Link. I will also
conduct practical experiments with Process Explorer, Sysmon, and System
Informer.

Feel free to ask me at: Two Seven One Three (@TwoSevenOneT) / X.

II. MAIN SECTION

1. Basic Information About Processparameters In PEB

The ProcessParameters field is a pointer to a
RTL_USER_PROCESS_PARAMETERS structure.

This structure holds critical process startup information, including:

  • CommandLine (UNICODE_STRING) – The full command line used to start
    the process.
  • ImagePathName (UNICODE_STRING) – The full path to the executable.
  • CurrentDirectory (UNICODE_STRING) – The working directory of the process.
  • Environment (PVOID) – Pointer to environment variables.
  • WindowTitle (UNICODE_STRING) – The title of the main window (if applicable).
  • DesktopInfo (UNICODE_STRING) – Specifies the desktop for GUI processes.
  • ShellInfo (UNICODE_STRING) – Shell-specific information.
  • RuntimeData (UNICODE_STRING) – Used by the runtime loader.

In this article, we will focus on the CommandLine section.

2. Experimenting With Directory Symbolic Links Using Process Explorer

In Windows, a symbolic link (also known as a symlink or soft link) acts as a
pointer to another file or directory, allowing the target to be accessed from
multiple locations.

For example:

mklink /d "C:MyFolder" "D:TargetFolder"

This command creates a symbolic link named “C:AliasFolder” that points
to the folder “D:TargetFolder“. Now, when you navigate to “C: AliasFolder” in File Explorer or use it in a command, you’ll be accessing the contents
of “D:TargetFolder“.

So with the information above, let’s assume I have the command to create
a symlink as follows:

mklink /D "C:FakePathModules" "C:TMPTarget"

create symbolic link of directory

When I create a process with the path
C:FakePathModulesSampleEXE.exe“, Windows will automatically
redirect and execute the file “SampleEXE.exe” in the
C:TMPTarget” folder.

Now we will check whether, from Process Explorer, the path of the process
SampleEXE.exe” will be understood as
C:FakePathModulesSampleEXE.exe” or
C:TMPTargetSampleEXE.exe“.

spoof path and command line of process in procexp

As demonstrated in the experiment above, Process Explorer still recognizes
the path and “CommandLine” of the process as being located at
C:FakePathModulesSampleEXE.exe“.

So if I create the process and then delete the directory symlink, based
solely on Process Explorer, you won’t be able to find the actual location
of the executable file. More precisely, the path of the executable file no
longer exists at that point. This is always the desired state that malware
aims for: to become invisible and not exist within the monitoring scope of
monitoring tools.

Execute path of process not exist after delete directory symlink

Let’s check with System Informer (Process Hacker) to see how it behaves in
this situation.

fake command line path in process hacker

Process Hacker can resolve the actual location of the executable file, but
the “Command Line” of the process still remains at the spoofed path.

Let’s continue to check how Sysmon will log the information for the process
mentioned above.

fake process command line in sysmon

With WMI query:

fake command line path in wmi query

Thus, by utilizing directory symlink, we can partially spoof the process
command line. Although it is not as perfect as complete spoofing, as it
only changes the path of the executable file in this record, it still
contributes to making log analysis more complex.

III. FINALE

The rules of EDRs heavily rely on the Process Environment Block (PEB) of
processes to detect malicious activities on clients.

One of the important fields of the process PEB is ProcessParameters, which
contains information about the executable file path along with the
parameters of the process at initialization.

By utilizing directory symbolic links, we can spoof the executable file path
in the ProcessParameters field. After the process is initialized, if the
symbolic link is deleted, the executable file path in ProcessParameters will
point to a non-existent location. This is ideal for malware or red team
activities.

When building detection rules, in addition to relying on the
ProcessParameters field, we need to consider other fields to make monitoring
and detection more effective and accurate. In this case, the rule to detect
spoofed ProcessParameters is to compare the Image Path with the executable
file path found in the CommandLine.



Source link