DET0544 Detection Strategy for Process Doppelgänging on Windows

Item	Value
ID	DET0544
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1055.013 (Process Doppelgänging)

Analytics

Windows

AN1501

Detects adversary abuse of Transactional NTFS (TxF) and undocumented process loading mechanisms (e.g., NtCreateProcessEx) to create a hollowed process from an uncommitted, maliciously tainted file image in memory, later executed via NtCreateThreadEx.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Process Access (DC0035)	WinEventLog:Sysmon	EventCode=10
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11
OS API Execution (DC0021)	etw:Microsoft-Windows-Kernel-Process	CreateTransaction, CreateFileTransacted, RollbackTransaction, NtCreateProcessEx, NtCreateThreadEx

Mutable Elements

Field	Description
TransactionExecutableNamePattern	Pattern of legitimate executables often used as doppelgänging targets (e.g., svchost.exe, calc.exe)
TimeWindow_TransactionToExecution	Time delta between TxF rollback and thread creation in hollowed process
ThreadStartEntropyThreshold	Entropy level of thread start address in memory used to detect obfuscated shellcode
TxF API Call Frequency Threshold	Limit on CreateTransaction + RollbackTransaction sequences per process