In this post we won't be covering the details of how this process impersonation technique works. There are several good articles detailing the modus operandi of Process Doppelgänging.
In a nutshell, this technique calls several APIs related to NTFS transactions which allow to substitute the PE content before even the process is created.
Interestingly we've found that Windows creates a security event to track NTFS transaction's state changes (EventID=4985):
Trying to baseline what's "normal" for EID 4985 from more than 10 windows servers:
We've observed also on 4 other machines with Win7|Win10 that lsass.exe, svchost.exe and TrustedInstaller.exe are the source of 100% of logged 4985 events.
Testing Process Doppelgänging on a Windows 7 machine yield the following:
EventID=4985 and LogonID !='0x3E7' or process path not in:
Post a Comment