Skip to content

T1055.013 Process Doppelgänging

Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.

Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. 1 To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. 2 To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. 3

Although deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. 4

Adversaries may abuse TxF to a perform a file-less variation of Process Injection. Similar to Process Hollowing, process doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelgänging’s use of TxF also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext. 4

Process Doppelgänging is implemented in 4 steps 4:

  • Transact – Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction.
  • Load – Create a shared section of memory and load the malicious executable.
  • Rollback – Undo changes to original executable, effectively removing malicious code from the file system.
  • Animate – Create a process from the tainted section of memory and initiate execution.

This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelgänging may evade detection from security products since the execution is masked under a legitimate process.

Item Value
ID T1055.013
Sub-techniques T1055.001, T1055.002, T1055.003, T1055.004, T1055.005, T1055.008, T1055.009, T1055.011, T1055.012, T1055.013, T1055.014, T1055.015
Tactics TA0005, TA0004
Platforms Windows
Permissions required Administrator, SYSTEM, User
Version 1.0
Created 14 January 2020
Last Modified 09 February 2021

Procedure Examples

ID Name Description
S0534 Bazar Bazar can inject into a target process using process doppelgänging.78
G0077 Leafminer Leafminer has used Process Doppelgänging to evade security software while deploying tools on compromised systems.11
S0242 SynAck SynAck abuses NTFS transactions to launch and conceal malicious processes.910

Mitigations

ID Mitigation Description
M1040 Behavior Prevention on Endpoint Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

Detection

ID Data Source Data Component
DS0022 File File Metadata
DS0009 Process OS API Execution

References

  1. Microsoft. (n.d.). Transactional NTFS (TxF). Retrieved December 20, 2017. 

  2. Microsoft. (n.d.). Basic TxF Concepts. Retrieved December 20, 2017. 

  3. Microsoft. (n.d.). When to Use Transactional NTFS. Retrieved December 20, 2017. 

  4. Liberman, T. & Kogan, E. (2017, December 7). Lost in Transaction: Process Doppelgänging. Retrieved December 20, 2017. 

  5. hasherezade. (2017, December 18). Process Doppelgänging – a new way to impersonate a process. Retrieved December 20, 2017. 

  6. Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved December 20, 2017. 

  7. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. 

  8. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. 

  9. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018. 

  10. Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018. 

  11. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.