T1055.013 Google Chronicle · YARA-L

Detect Process Doppelganging in Google Chronicle

Adversaries may inject malicious code into process via process doppelganging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelganging abuses Windows Transactional NTFS (TxF) to perform a fileless variation of process injection. The technique involves four steps: Transact (create a TxF transaction and overwrite a legitimate executable with malicious code), Load (create a shared section from the modified file), Rollback (undo the file changes, removing malicious code from disk), and Animate (create a process from the tainted memory section). This evades detection because the malicious code never exists on disk in its final form and the technique avoids highly-monitored API functions like NtUnmapViewOfSection.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.013 Process Doppelgänging
Canonical reference
https://attack.mitre.org/techniques/T1055/013/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule process_doppelganging_t1055_013 {
  meta:
    author = "df00tech"
    description = "Detects Process Doppelganging via NTFS Transaction API usage or anomalous system process spawning (T1055.013)"
    mitre_attack_technique = "T1055.013"
    mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
    severity = "CRITICAL"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1055/013/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex(
        $e.target.process.command_line,
        `(?i)(createfiletransacted|ntcreatesection|rollbacktransaction|ntcreateprocessex)`
      )
      or (
        re.regex(
          $e.target.process.file.full_path,
          `(?i)\\(svchost|explorer|notepad|cmd)\.exe$`
        )
        and not re.regex(
          $e.principal.process.file.full_path,
          `(?i)\\(services|svchost|winlogon|userinit|wininit)\.exe$`
        )
      )
    )

  condition:
    $e
}
critical severity medium confidence

Chronicle YARA-L 2.0 rule detecting Process Doppelganging using UDM PROCESS_LAUNCH events. Matches TxF API function names in process command-line fields and identifies anomalous parent-child relationships where known Windows system binaries are spawned by unexpected parents. Compatible with Sysmon and MDE telemetry forwarded to Chronicle.

Data Sources

Google Chronicle SIEMMicrosoft Defender for Endpoint via Chronicle forwarderWindows Sysmon via Chronicle Ingestion API

Required Tables

UDM PROCESS_LAUNCH events

False Positives & Tuning

  • Windows Subsystem for Linux (WSL2) or Hyper-V virtualization infrastructure that creates atypical process parent chains for system binaries during VM lifecycle management
  • Enterprise asset management or endpoint management platforms that invoke system utilities from their own agent parent processes during inventory or remediation
  • DFIR tooling and incident response platforms that run system binaries from analyst-controlled parent processes during live forensic acquisition
Download portable Sigma rule (.yml)

Other platforms for T1055.013

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1NTFS Transaction API Check

    Expected signal: Sysmon Event ID 1: PowerShell execution. The API check itself generates no injection telemetry — it only verifies API availability.

  2. Test 2Kernel Transaction Manager Log Verification

    Expected signal: Sysmon Event ID 1: PowerShell querying event log configuration. No security event generated — this is a configuration check.

  3. Test 3Process Doppelganging Detection via Hollowing Artifacts

    Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. The parent-child anomaly (notepad from PowerShell) triggers Process Hollowing detections that also cover Doppelganging.

Last updated: 2026-04-16 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1055.013 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.014VDSO HijackingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.012Process HollowingT1055.003Thread Execution HijackingT1070.004File DeletionT1036Masquerading

Same Tactic: Defense Evasion

Popular Detections