Thursday, 7 February 2019

Threat Hunting #20 - Detecting Process Doppelgänging using event 4985


In this post we won't be covering the details of how this process impersonation technique works. There are several good articles detailing the modus operandi of Process Doppelgänging.

In a nutshell, this technique calls several APIs related to NTFS transactions which allow to substitute the PE content before even the process is created.

Interestingly we've found that Windows creates a security event to track NTFS transaction's state changes (EventID=4985):



Trying to baseline what's "normal" for EID 4985 from more than 10 windows servers:




We've observed also on 4 other machines with Win7|Win10 that lsass.exe, svchost.exe and TrustedInstaller.exe are the source of 100% of logged 4985 events.

Testing Process Doppelgänging  on a Windows 7 machine yield the following:




Detection:

EventID=4985 and LogonID !='0x3E7' or process path not in:

  • c:\windows\system32\svchost.exe
  • c:\windows\system32\lsass.exe|
  • c:\windows\servicing\TrustedInstaller.exe
  • c:\windows\system32\poqexec.exe
  • c:\windows\winSxS\*\TiWorker.exe
References:

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4985
https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf





No comments:

Post a Comment