How does the technique to bypass Windows command line process auditing work?

The technique works by creating a suspended process using the `CreateProcess` API with the `CREATE_SUSPENDED` flag, then modifying its `CommandLine` parameter in memory via `ReadProcessMemory` and `WriteProcessMemory`. After modification, the process is resumed with `ResumeThread`, and if the process doesn't exit immediately, the command line is restored to hide the true parameters. This method, described in Penetration Techniques - Bypassing Windows Command Line Process Auditing, effectively bypasses Event ID 4688 logging.