In this post we won't be covering the details of how this process impersonation technique works. There are several good articles detailing the modus operandi of Process Doppelgänging.
In a nutshell, this technique calls several APIs related to NTFS transactions which allow to substitute the PE content before even the process is created.
Interestingly we've found that Windows creates a security event to track NTFS transaction's state changes (EventID=4985):
Trying to baseline what's "normal" for EID 4985 from more than 10 windows servers:
We've observed also on 4 other machines with Win7|Win10 that lsass.exe, svchost.exe and TrustedInstaller.exe are the source of 100% of logged 4985 events.
Testing Process Doppelgänging on a Windows 7 machine yield the following:
Detection:
EventID=4985 and LogonID !='0x3E7' or process path not in:
- c:\windows\system32\svchost.exe
- c:\windows\system32\lsass.exe|
- c:\windows\servicing\TrustedInstaller.exe
- c:\windows\system32\poqexec.exe
- c:\windows\winSxS\*\TiWorker.exe
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4985
https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
No comments:
Post a Comment