[MART] - Daily Diary #521 - Malware Techniques - Process Doppelgänging

CTAS-MAT ctas-mat at appgate.com
Tue May 31 00:16:25 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

05/30/2022 - Diary entry #521:

Following the thread started in our Daily Diary #420, today we will cover a Process Injection technique: Process Doppelgänging.

Similar to Process Hollowing (covered in Daily Diary #509), Process Doppelgänging is tracked in the MITRE ATT&CK Framework as T1055.013. It's a technique to execute malicious code inside a trusted process. It replaces the legitimate code before the process is created via Windows Transactional NTFS (TxF).

To implement the Process Doppelgänging technique, the malicious program overwrites a legitimate executable file by creating a TxF transaction - having the advantage of being visible only within the context of the transaction. Then, it creates a shared section of memory and loads the malicious code. Next, it restores the original executable, removing malicious code from the disk. Finally, it creates a process from the shared section of memory and executes the code.

Compared to the Process Hollowing technique, the Process Doppelgänging has the advantage of being fileless and it doesn't use common Windows APIs that are frequently monitored. On the other hand, in both techniques the executed code (spawned from another process) inherits the security context, therefore, it won't necessarily acquire elevated privileges.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220531/cccd4b5d/attachment.htm>

More information about the MART mailing list