Common Information
| Type | Value |
|---|---|
| Value |
Process Doppelgänging - T1055.013 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process. Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. (Citation: Microsoft TxF) To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. (Citation: Microsoft Basic TxF Concepts) To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. (Citation: Microsoft Where to use TxF) Although deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. (Citation: BlackHat Process Doppelgänging Dec 2017) Adversaries may abuse TxF to a perform a file-less variation of [Process Injection](https://attack.mitre.org/techniques/T1055). Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), process doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelgänging's use of TxF also avoids the use of highly-monitored API functions such as <code>NtUnmapViewOfSection</code>, <code>VirtualProtectEx</code>, and <code>SetThreadContext</code>. (Citation: BlackHat Process Doppelgänging Dec 2017) Process Doppelgänging is implemented in 4 steps (Citation: BlackHat Process Doppelgänging Dec 2017): * Transact – Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction. * Load – Create a shared section of memory and load the malicious executable. * Rollback – Undo changes to original executable, effectively removing malicious code from the file system. * Animate – Create a process from the tainted section of memory and initiate execution. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelgänging may evade detection from security products since the execution is masked under a legitimate process. |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-10-15 | 1 | From Defense to Offense: The Misuse of Red Teaming Tools by Cybercriminals | #cybercrime | #infosec | National Cyber Security Consulting | ||
| Details | Website | 2024-10-11 | 93 | HijackLoader evolution: abusing genuine signing certificates | ||
| Details | Website | 2024-09-26 | 0 | Massive Info Stealer Campaign Targets Gamers, Streamers, And Crypto Investors | ||
| Details | Website | 2024-08-19 | 14 | Hunting for Persistence: Registry Run Keys / Startup Folder | ||
| Details | Website | 2024-08-13 | 21 | Common Malware Loaders - ReliaQuest | ||
| Details | Website | 2024-04-17 | 0 | Reconstructing Executables Part 1: Between Files and Memory | ||
| Details | Website | 2023-10-30 | 6 | Hackers Using MSIX App Packages to Infect Windows PCs with GHOSTPULSE Malware - RedPacket Security | ||
| Details | Website | 2023-10-30 | 6 | Hackers Using MSIX App Packages to Infect Windows PCs with GHOSTPULSE Malware | ||
| Details | Website | 2023-10-30 | 0 | Threat actors caught using MSIX packages to distribute Ghostpulse malware loader | ||
| Details | Website | 2023-10-27 | 25 | GHOSTPULSE haunts victims using defense evasion bag o' tricks — Elastic Security Labs | ||
| Details | Website | 2023-08-31 | 59 | Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers | Rapid7 Blog | ||
| Details | Website | 2023-08-13 | 1 | Code Injection Series — #4 — Process Doppelgänging (T1055.013) | ||
| Details | Website | 2023-08-06 | 1 | Process Doppelgänging | ||
| Details | Website | 2023-08-01 | 5 | 绿盟威胁情报月报-2023年7月 – 绿盟科技技术博客 | ||
| Details | Website | 2023-08-01 | 2 | Cyber Briefing: 2023.08.01 | ||
| Details | Website | 2023-07-31 | 2 | Fruity Trojan Uses Deceptive Software Installers to Spread Remcos RAT | ||
| Details | Website | 2023-07-31 | 2 | Fruity Trojan Uses Deceptive Software Installers to Spread Remcos RAT - RedPacket Security | ||
| Details | Website | 2023-07-27 | 10 | Fruity trojan downloader performs multi-stage infection of Windows computers | ||
| Details | Website | 2023-07-01 | 1 | Code Injection Series — #4 — Process Doppelgänging (T1055.013) | ||
| Details | Website | 2023-06-27 | 2 | New Mockingjay Process Injection Technique Could Let Malware Evade Detection | ||
| Details | Website | 2023-06-27 | 2 | New Mockingjay Process Injection Technique Could Let Malware Evade Detection - RedPacket Security | ||
| Details | Website | 2023-06-17 | 8 | SOC First Defense - Understanding The Cyber Attack Chain - A Defense with/without SOC | ||
| Details | Website | 2023-06-13 | 1 | Beware: New DoubleFinger Loader Targets Cryptocurrency Wallets with Stealer | ||
| Details | Website | 2023-06-13 | 1 | Beware: New DoubleFinger Loader Targets Cryptocurrency Wallets with Stealer - RedPacket Security | ||
| Details | Website | 2023-06-12 | 15 | Загрузчик DoubleFinger доставляет криптовалютный стилер GreetingGhoul |