Process Doppelgänging

Information

• Name: Process Doppelgänging

• ID: T1055.013

• Tactics: TA0005, TA0004

• Technique: T1055

Introduction

Process Doppelgänging (T1055.013) is a sophisticated sub-technique within the MITRE ATT&CK Framework under the "Process Injection" tactic. It involves executing malicious code by leveraging transactional NTFS features and Windows process loading mechanisms to evade detection. Attackers use this method to execute malicious payloads without creating easily detectable artifacts, making it particularly challenging for security systems to identify and mitigate.

Deep Dive Into Technique

Process Doppelgänging exploits legitimate features of the Windows operating system, specifically NTFS transactions and process creation mechanisms, to stealthily execute malicious code. The technique typically involves the following steps:

1. Transaction Creation:

   • The attacker initiates an NTFS transaction using Windows API functions such as CreateTransaction(). Transactions allow file operations to be performed without immediately committing changes, thus preventing detection by standard antivirus file scanning methods.

2. File Overwriting within Transaction:

   • A legitimate executable file is opened within the transaction context using APIs like CreateFileTransacted().

   • Malicious payload data is written into the file within the transaction. Because the transaction has not yet committed, the file appears unchanged to external observers and antivirus software.

3. Image Section Creation and Rollback:

   • The attacker creates an executable image section from the modified file using NtCreateSection(). This section is later used to create a process.

   • The transaction is then intentionally rolled back (canceled), reverting the file to its original state. Despite the rollback, the malicious image section remains valid in memory.

4. Process Creation:

   • A new process is created using the previously created malicious image section via APIs such as NtCreateProcessEx().

   • The operating system loads the malicious payload directly from memory, bypassing typical file-based detection and integrity checks.

This method effectively bypasses traditional antivirus and endpoint detection solutions by avoiding persistent malicious files on disk and minimizing suspicious process creation behaviors.

When this Technique is Usually Used

Attackers commonly utilize Process Doppelgänging in various stages and scenarios of cyber-attacks, including:

• Initial Access and Execution:

  • To deliver and execute initial malicious payloads without triggering antivirus alerts or endpoint detection and response (EDR) solutions.

• Defense Evasion:

  • To bypass antivirus scanning and file integrity monitoring by executing payloads directly from memory without leaving persistent traces on disk.

• Privilege Escalation and Persistence:

  • To execute privileged code in memory without creating suspicious file artifacts that might alert defenders.

• Targeted Attacks and Advanced Persistent Threat (APT) Campaigns:

  • Frequently observed in targeted attacks where stealth and evasion are critical to maintaining long-term persistence within compromised environments.

How this Technique is Usually Detected

Detecting Process Doppelgänging is challenging due to its stealthy nature, but the following detection strategies and tools can help identify its usage:

• Behavioral Monitoring and Heuristic Analysis:

  • Monitor for unusual process creation patterns, especially processes that originate from memory sections rather than disk-based files.

  • Identify suspicious API calls such as CreateTransaction(), CreateFileTransacted(), and NtCreateSection() used in rapid succession.

• Endpoint Detection and Response (EDR) Solutions:

  • Advanced EDR tools can detect and alert on suspicious memory-based process creations and transactional file operations.

  • Real-time monitoring of transactional NTFS operations can highlight abnormal usage indicative of Process Doppelgänging.

• Sysmon and Windows Event Logs:

  • Utilize Sysmon to log detailed process creation events, image loads, and API calls related to NTFS transactions and process creation.

  • Correlate logs to identify suspicious transaction rollbacks shortly after image section creation.

• Memory Forensics and Analysis:

  • Perform memory analysis to detect suspicious processes running from memory sections not linked to disk-based executables.

  • Investigate memory dumps to uncover malicious code injection or anomalous loaded modules.

Indicators of Compromise (IoCs)

• Frequent transactional NTFS operations (CreateTransaction, CreateFileTransacted) combined with immediate rollbacks.

• Processes with no corresponding executable file on disk.

• Suspicious API calls sequence involving transactional APIs and low-level process creation functions (NtCreateSection, NtCreateProcessEx).

Why it is Important to Detect This Technique

Detecting Process Doppelgänging is critical due to its significant potential impact on system and network security, including:

• Stealth and Persistence:

  • Allows attackers to maintain undetected persistence within compromised systems, enabling long-term surveillance, data exfiltration, and lateral movement.

• Antivirus and Endpoint Security Evasion:

  • Traditional antivirus solutions relying on file-based signatures and scanning are ineffective against Process Doppelgänging, making detection challenging without advanced behavioral monitoring.

• Privilege Escalation and System Compromise:

  • Enables attackers to execute high-privilege payloads covertly, facilitating further system compromise, credential theft, and lateral movement across networks.

• Data Loss and Exfiltration:

  • Attackers can silently exfiltrate sensitive information without triggering alerts, leading to severe data breaches and compliance violations.

Early detection and response significantly reduce the potential damage and impact caused by attacks leveraging Process Doppelgänging.

Examples

Real-world examples of Process Doppelgänging usage include:

• SynAck Ransomware:

  • SynAck ransomware utilized Process Doppelgänging to evade antivirus detection by executing its malicious payload directly from memory. This allowed the ransomware to encrypt victim files without triggering security alerts, significantly complicating incident response efforts.

• Advanced Persistent Threat (APT) Campaigns:

  • Multiple APT groups have reportedly leveraged Process Doppelgänging to execute stealthy payloads within targeted organizations, facilitating espionage, data theft, and long-term persistence within compromised networks.

• Proof-of-Concept Tools and Exploits:

  • Security researchers have demonstrated Process Doppelgänging in various proof-of-concept tools, publicly showcasing its effectiveness in bypassing antivirus solutions and highlighting the need for improved detection capabilities.

In each scenario, attackers successfully leveraged Process Doppelgänging to evade detection, execute malicious payloads stealthily, and achieve significant operational objectives, underscoring the critical importance of understanding and mitigating this technique.