Process Doppelganging

// Detect Process Doppelganging via NTFS Transaction API usage
// Key APIs: CreateFileTransacted, NtCreateSection, RollbackTransaction, NtCreateProcessEx
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("CreateFileTransacted", "NtCreateSection", "RollbackTransaction", "NtCreateProcessEx")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc
| union (
    // Detect suspicious process creation where the image file doesn't match expected
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName in~ ("svchost.exe", "explorer.exe", "notepad.exe", "cmd.exe")
    | where InitiatingProcessFileName !in~ ("services.exe", "svchost.exe", "explorer.exe", "winlogon.exe", "userinit.exe", "System")
    | where ProcessVersionInfoProductName == "" or isempty(ProcessVersionInfoProductName)
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, ProcessVersionInfoProductName
)
| sort by Timestamp desc

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ImageName=mvindex(split(Image, "\\"), -1)
| eval ParentName=mvindex(split(ParentImage, "\\"), -1)
// Look for processes with image hash mismatches or unusual characteristics
| eval SuspiciousCreation=case(
    ImageName="svchost.exe" AND NOT ParentImage="*\\services.exe", "HIGH - svchost anomaly",
    ImageName="explorer.exe" AND NOT (ParentImage="*\\winlogon.exe" OR ParentImage="*\\userinit.exe"), "HIGH - explorer anomaly",
    match(CommandLine, "(?i)(createfiletransacted|ntcreatesection|rollbacktransaction)"), "CRITICAL - TxF API in commandline",
    1=1, "LOW"
)
| where SuspiciousCreation!="LOW"
// Additional: look for kernel transaction manager events
| append [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Kernel-Transaction-Manager/Operational" EventCode IN (51, 52, 53, 54)
| eval SuspiciousCreation="MEDIUM - NTFS Transaction activity detected"
| table _time, host, SuspiciousCreation, EventCode]
| table _time, host, User, ParentImage, Image, CommandLine, Hashes, SuspiciousCreation
| sort - _time

process where event.type == "start" and
(
  process.command_line : ("*CreateFileTransacted*", "*NtCreateSection*", "*RollbackTransaction*", "*NtCreateProcessEx*")
  or
  (
    process.name in~ ("svchost.exe", "explorer.exe", "notepad.exe", "cmd.exe") and
    not process.parent.name in~ ("services.exe", "svchost.exe", "winlogon.exe", "userinit.exe", "wininit.exe") and
    (process.pe.company == null or process.pe.company == "")
  )
)

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  "Process Name" AS ProcessName,
  "Parent Process Name" AS ParentProcessName,
  "Command" AS CommandLine,
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS EventCategory
FROM events
WHERE LOGSOURCETYPEID IN (12, 433)
  AND LAST 24 HOURS
  AND (
    LOWER("Command") ILIKE '%createfiletransacted%'
    OR LOWER("Command") ILIKE '%ntcreatesection%'
    OR LOWER("Command") ILIKE '%rollbacktransaction%'
    OR LOWER("Command") ILIKE '%ntcreateprocessex%'
    OR (
      LOWER("Process Name") IN ('svchost.exe', 'explorer.exe', 'notepad.exe', 'cmd.exe')
      AND LOWER("Parent Process Name") NOT IN (
        'services.exe', 'svchost.exe', 'winlogon.exe',
        'userinit.exe', 'wininit.exe', 'system'
      )
    )
  )
ORDER BY devicetime DESC

_sourceCategory="windows/sysmon" EventCode=1
| parse regex field=Image "\\\\(?<ImageName>[^\\\\]+)$" nodrop
| parse regex field=ParentImage "\\\\(?<ParentImageName>[^\\\\]+)$" nodrop
| where EventCode = 1
| where (
    matches(toLowerCase(CommandLine), "(?i).*(createfiletransacted|ntcreatesection|rollbacktransaction|ntcreateprocessex).*")
    OR (
      ImageName in ("svchost.exe", "explorer.exe", "notepad.exe", "cmd.exe")
      AND !(ParentImageName in ("services.exe", "svchost.exe", "winlogon.exe", "userinit.exe", "wininit.exe"))
    )
  )
| eval Severity = if(
    matches(toLowerCase(CommandLine), "(?i).*(createfiletransacted|ntcreatesection|rollbacktransaction|ntcreateprocessex).*"),
    "CRITICAL",
    "HIGH"
  )
| fields _time, Computer, User, ParentImageName, ImageName, CommandLine, Hashes, Severity
| sort by _time desc

rule process_doppelganging_t1055_013 {
  meta:
    author = "df00tech"
    description = "Detects Process Doppelganging via NTFS Transaction API usage or anomalous system process spawning (T1055.013)"
    mitre_attack_technique = "T1055.013"
    mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
    severity = "CRITICAL"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1055/013/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex(
        $e.target.process.command_line,
        `(?i)(createfiletransacted|ntcreatesection|rollbacktransaction|ntcreateprocessex)`
      )
      or (
        re.regex(
          $e.target.process.file.full_path,
          `(?i)\\(svchost|explorer|notepad|cmd)\.exe$`
        )
        and not re.regex(
          $e.principal.process.file.full_path,
          `(?i)\\(services|svchost|winlogon|userinit|wininit)\.exe$`
        )
      )
    )

  condition:
    $e
}

#event_simpleName=ProcessRollup2
| case {
    CommandLine = /(?i)(createfiletransacted|ntcreatesection|rollbacktransaction|ntcreateprocessex)/ |
      Severity := "CRITICAL" |
      DetectionReason := "TxF API reference in command line" ;
    ImageFileName = /\\(svchost|explorer|notepad|cmd)\.exe$/i
    AND ParentBaseFileName != /^(services|svchost|winlogon|userinit|wininit)\.exe$/i |
      Severity := "HIGH" |
      DetectionReason := "System binary spawned by anomalous parent" ;
    * | Severity := "LOW"
  }
| Severity != "LOW"
| table(
    [_time, ComputerName, UserName, ParentBaseFileName, ImageFileName,
     CommandLine, SHA256HashData, Severity, DetectionReason]
  )
| sort(field=_time, order=desc)