Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.
Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. [1] To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. [2] To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. [3]
Although deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. [4]
Adversaries may abuse TxF to a perform a file-less variation of Process Injection. Similar to Process Hollowing, process doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelgänging's use of TxF also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection
, VirtualProtectEx
, and SetThreadContext
. [4]
Process Doppelgänging is implemented in 4 steps [4]:
This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelgänging may evade detection from security products since the execution is masked under a legitimate process.
ID | Name | Description |
---|---|---|
S0534 | Bazar |
Bazar can inject into a target process using process doppelgänging.[5][6] |
G0077 | Leafminer |
Leafminer has used Process Doppelgänging to evade security software while deploying tools on compromised systems.[7] |
S0242 | SynAck |
SynAck abuses NTFS transactions to launch and conceal malicious processes.[8][9] |
ID | Mitigation | Description |
---|---|---|
M1040 | Behavior Prevention on Endpoint |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
ID | Data Source | Data Component |
---|---|---|
DS0022 | File | File Metadata |
DS0009 | Process | OS API Execution |
Monitor and analyze calls to CreateTransaction
, CreateFileTransacted
, RollbackTransaction
, and other rarely used functions indicative of TxF activity. Process Doppelgänging also invokes an outdated and undocumented implementation of the Windows process loader via calls to NtCreateProcessEx
and NtCreateThreadEx
as well as API calls used to modify memory within another process, such as WriteProcessMemory
. [4] [10]
Scan file objects reported during the PsSetCreateProcessNotifyRoutine, [11] which triggers a callback whenever a process is created or deleted, specifically looking for file objects with enabled write access. [4] Also consider comparing file objects loaded in memory to the corresponding file on disk. [10]
Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.