Process Arguments Spoofing Using TLS Callbacks

Et Tu, TLS!

Introduction

TLS Callback Argument Spoofing POC

What Is TLS Callback Argument Spoofing?

• TLS (Thread Local Storage) callbacks execute during process initialization, before the main entry point but after kernel-level EDR logging.

• This creates a timing window where the Process Environment Block (PEB) can be modified without detection, allowing processes to run with different arguments than what security tools observed at creation time.

---

How Does It Work?

1. Process is created with benign command-line arguments (e.g., app.exe --safe-mode --diagnostic). EDR/Sysmon logs these benign arguments at the kernel level.

2. TLS callback executes automatically during process initialization, before main() runs.

3. The callback accesses the PEB directly using segment registers (__readgsqword(0x60) on x64), bypassing user-mode API hooks.

4. Acquires FastPebLock critical section and modifies PEB->ProcessParameters->CommandLine to malicious arguments (e.g., "pwsh.exe -enc <payload>").

5. Main function executes with the malicious arguments. GetCommandLineW() returns the modified command line.

6. Before exit, restores original benign arguments and null-pads the buffer to eliminate forensic artifacts.

This approach evades process creation monitoring while avoiding the suspicious patterns of traditional argument spoofing (suspended processes, cross-process memory writes).

---

Usage

Compile with Visual Studio:

cl.exe /Zi /nologo tls_arg_spoof_poc.c /link /INCREMENTAL:NO

Execute with any benign arguments:

tls_arg_spoof_poc.exe --system-health-check --verbose

EDR sees: tls_arg_spoof_poc.exe --system-health-check --verbose Actually executes: "Proof Of Concept.exe" --malarg1 --malarg2

Note: Customize malicious arguments by modifying the g_MaliciousCommandLine global variable in the source code.

---

Results

1. Testing With Elastic EDR (full protection mode with memory + anomalous behavior detection + ransomware protection)

2. Sysmon Result