LOLSpoof is a an interactive shell program that automatically spoof the command line arguments of the spawned process.
Just call your incriminate-looking command line LOLBin (e.g. powershell -w hidden -enc ZwBlAHQALQBwAHIAbwBjAGUA....
) and LOLSpoof will ensure that the process creation telemetry appears legitimate and clear.
Use only for 64-bit LOLBins
Process command line is a very monitored telemetry, being thoroughly inspected by AV/EDRs, SOC analysts or threat hunters.
lolbin.exe " " * sizeof(real arguments)
Although this simple technique helps to bypass command line detection, it may introduce other suspicious telemetry:
Built with Nim 1.6.12 (compiling with Nim 2.X yields errors!)
nimble install winim
Programs that clear or change the previous printed console messages (such as timeout.exe 10
) breaks the program. when such commands are employed, you'll need to restart the console.
Don't know how to fix that, open to suggestions.