Webinar: Process Doppelgänging Blocked by enSilo
enSilo is real-time endpoint security software that protects against Process Doppelganging (and lots more). See the on-demand webinar of Lost in Transaction: Process Doppelganging featured at BlackHat Europe.
enSilo’s researchers Tal Liberman, Eugene Kogan, Omri Misgav, and Udi Yavo discovered an evasion technique dubbed Process Doppelgänging that was first presented at BlackHat Europe December 7, 2017. In their presentation Liberman and Kogan demonstrated how to conceal malicious activity deep at the operating system level by manipulating how Windows handles file transactions. By passing off malicious actions as benign, legitimate processes, they showed a potent way for even relatively less-sophisticated attackers to give new life to malicious code threats well-known to security vendors. Once cloaked with “Process Doppelgänging,” these threats can impact the latest versions of Windows protected with fully-updated AV and NGAV security products, where malware payloads can proceed to ransom files, capture keystrokes or steal priceless files.
Process Doppelgänging, though significantly more advanced and evasive, has implications that are similar to that of Process Hollowing. Although most cybersecurity tools have adapted and are able to detect Process Hollowing, it is still used frequently; a recent example can be seen in Scarab Ransomware as analyzed by enSilo researchers here.
Process Doppelgänging is a modern evasion technique that affects Windows users.
enSilo’s Black Hat Europe research is available for download here. Additionally, interested viewers can register to attend a free, public webinar on Process Doppelgänging with Liberman & Kogan, where they will provide a walk-through of threats and defenses.
Abstract from BlackHat Europe
Process Hollowing is a technique first introduced years ago by attackers to thwart the mitigation capabilities of security products. However, most of today's solutions are able to detect and prevent such notorious attacks. In this talk, we will present a new technique, dubbed Process Doppelgänging, which has similar advantages but is much harder to detect - let alone prevent. Moreover, we will expose inherent limitations in the implementations of modern AV/NGAV scanning engines.
Most modern evasion techniques rely on complex memory manipulation in order to avoid AV/NGAV scan engines. Instead, we wanted to take advantage of the implementation of the Windows loader, and abuse it to load our code, while keeping it away from the prying eyes of security products. Moreover, the code will never be saved to any file on disk, making it invisible to most recording tools such as modern EDRs.
Doppelgänging works by utilizing two key distinct features together to mask the loading of a modified executable. By using NTFS transactions, we make changes to an executable file that will never actually be committed to disk. We will then use undocumented implementation details of the process loading mechanism to load our modified executable, but not before rolling back the changes we made to the executable. The result of this procedure is creating a process from the modified executable, while deployed security mechanisms remain in the dark.
Who does this affect?
Latest versions of Windows protected with fully-updated AV and NGAV security product modern versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10.
~ See how... It’s possible to conceal malicious activity deep at the operating system level by manipulating how Windows handles file transactions.
~ See how... Relatively less-sophisticated attackers can give new life to older malicious code threats well-known to security vendors.
~ See how... These threats can be cloaked with Process Doppelgänging that are detected by enSilo’s endpoint protection platform.
See how in the Process Doppelgänging Webinar: