From c97658233df82e3a9e40c584927ffa76264a6c8e Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Mon, 5 Jan 2026 22:06:05 +0100 Subject: [PATCH] refactor(rules): Rename and improve Potential process doppelganging injection rule Make the rule more robust against false positives by checking that the process name is different than the base executable path, and also check the callstack to deduce the process is created from the low-level API function. --- ...ential_process_doppelganging_injection.yml | 58 ------------------- ..._process_creation_via_ntfs_transaction.yml | 39 +++++++++++++ 2 files changed, 39 insertions(+), 58 deletions(-) delete mode 100644 rules/defense_evasion_potential_process_doppelganging_injection.yml create mode 100644 rules/defense_evasion_process_creation_via_ntfs_transaction.yml diff --git a/rules/defense_evasion_potential_process_doppelganging_injection.yml b/rules/defense_evasion_potential_process_doppelganging_injection.yml deleted file mode 100644 index da2a1f306..000000000 --- a/rules/defense_evasion_potential_process_doppelganging_injection.yml +++ /dev/null @@ -1,58 +0,0 @@ -name: Potential Process Doppelganging -id: eb34cf6e-ccc3-4bce-bbcf-013720640a28 -version: 1.0.2 -description: | - Adversaries may inject malicious code into process via process doppelganging - in order to evade process-based defenses as well as possibly elevate privileges. - Process doppelganging is a method of executing arbitrary code in the address space - of a separate live process. - - Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform - safe file operations. To ensure data integrity, TxF enables only one transacted - handle to write to a file at a given time. Until the write handle transaction is - terminated, all other handles are isolated from the writer and may only read the - committed version of the file that existed at the time the handle was opened. To - avoid corruption, TxF performs an automatic rollback if the system or application - fails during a write transaction. - - Although deprecated, the TxF application programming interface (API) is still enabled - as of Windows 11. - - Adversaries may abuse TxF to a perform a file-less variation of Process Injection. - Similar to Process Hollowing, process doppelganging involves replacing the memory of - a legitimate process, enabling the veiled execution of malicious code that may evade - defenses and detection. Process doppelganging's use of TxF also avoids the use of - highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and - SetThreadContext. - - Process Doppelganging is implemented in 4 steps: - - 1. Transact – Create a TxF transaction using a legitimate executable then overwrite - the file with malicious code. - 2. Load – Create a shared section of memory and load the malicious executable. - 3. Rollback – Undo changes to original executable, effectively removing malicious code - from the file system. - 4. Animate – Create a process from the tainted section of memory and initiate execution. -labels: - tactic.id: TA0005 - tactic.name: Defense Evasion - tactic.ref: https://attack.mitre.org/tactics/TA0005/ - technique.id: T1055 - technique.name: Process Injection - technique.ref: https://attack.mitre.org/techniques/T1055/ - subtechnique.id: T1055.013 - subtechnique.name: Process Doppelganging - subtechnique.ref: https://attack.mitre.org/techniques/T1055/013/ -references: - - https://www.ired.team/offensive-security/code-injection-process-injection/process-doppelganging - - https://www.malwarebytes.com/blog/news/2018/08/process-doppelganging-meets-process-hollowing_osiris - -condition: > - sequence - maxspan 2m - |create_file and thread.callstack.symbols imatches ('kernel32.dll!CreateFileTransacted*', 'ntdll.dll!RtlSetCurrentTransaction')| by ps.uuid - |spawn_process| by ps.parent.uuid -action: - - name: kill - -min-engine-version: 3.0.0 diff --git a/rules/defense_evasion_process_creation_via_ntfs_transaction.yml b/rules/defense_evasion_process_creation_via_ntfs_transaction.yml new file mode 100644 index 000000000..866a120b3 --- /dev/null +++ b/rules/defense_evasion_process_creation_via_ntfs_transaction.yml @@ -0,0 +1,39 @@ +name: Process creation via NTFS transaction +id: eb34cf6e-ccc3-4bce-bbcf-013720640a28 +version: 2.0.0 +description: | + Adversaries may inject malicious code into process by abusing NTFS transactions + to avoid writing the final executable image to disk. Attackers exploit TxF API + and low-level process creation internals to evade traditional file-based detection. +labels: + tactic.id: TA0005 + tactic.name: Defense Evasion + tactic.ref: https://attack.mitre.org/tactics/TA0005/ + technique.id: T1055 + technique.name: Process Injection + technique.ref: https://attack.mitre.org/techniques/T1055/ + subtechnique.id: T1055.013 + subtechnique.name: Process Doppelganging + subtechnique.ref: https://attack.mitre.org/techniques/T1055/013/ +references: + - https://www.ired.team/offensive-security/code-injection-process-injection/process-doppelganging + - https://www.malwarebytes.com/blog/news/2018/08/process-doppelganging-meets-process-hollowing_osiris + +condition: > + sequence + maxspan 2m + |create_file and + evt.pid != 4 and thread.callstack.symbols imatches + ( + 'kernel32.dll!CreateFileTransacted*', + 'ntdll.dll!RtlSetCurrentTransaction' + ) + | by file.name + |spawn_process and + ps.name != base(ps.exe) and + thread.callstack.symbols not imatches ('ntdll.dll!*CreateUserProcess') + | by ps.name +action: + - name: kill + +min-engine-version: 3.0.0