Detect Process Doppelganging in CrowdStrike LogScale
Adversaries may inject malicious code into process via process doppelganging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelganging abuses Windows Transactional NTFS (TxF) to perform a fileless variation of process injection. The technique involves four steps: Transact (create a TxF transaction and overwrite a legitimate executable with malicious code), Load (create a shared section from the modified file), Rollback (undo the file changes, removing malicious code from disk), and Animate (create a process from the tainted memory section). This evades detection because the malicious code never exists on disk in its final form and the technique avoids highly-monitored API functions like NtUnmapViewOfSection.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.013 Process Doppelgänging
- Canonical reference
- https://attack.mitre.org/techniques/T1055/013/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| case {
CommandLine = /(?i)(createfiletransacted|ntcreatesection|rollbacktransaction|ntcreateprocessex)/ |
Severity := "CRITICAL" |
DetectionReason := "TxF API reference in command line" ;
ImageFileName = /\\(svchost|explorer|notepad|cmd)\.exe$/i
AND ParentBaseFileName != /^(services|svchost|winlogon|userinit|wininit)\.exe$/i |
Severity := "HIGH" |
DetectionReason := "System binary spawned by anomalous parent" ;
* | Severity := "LOW"
}
| Severity != "LOW"
| table(
[_time, ComputerName, UserName, ParentBaseFileName, ImageFileName,
CommandLine, SHA256HashData, Severity, DetectionReason]
)
| sort(field=_time, order=desc)CrowdStrike LogScale query using Falcon ProcessRollup2 events to detect Process Doppelganging. Applies case-based severity triage: CRITICAL for TxF API strings appearing in command-line telemetry, HIGH for anomalous parent-child process relationships involving common doppelganging targets. Returns enriched results with SHA256 hash for rapid IOC pivoting.
Data Sources
Required Tables
False Positives & Tuning
- Falcon sensor telemetry gaps during sensor updates may cause transient parent process misattribution in ProcessRollup2 events
- Software executing under SYSTEM context via Task Scheduler or SCM may surface with unexpected ParentBaseFileName values that do not reflect true spawn origin
- Third-party security products that hook process creation subsystems may alter apparent parent-child relationships visible in Falcon telemetry
Other platforms for T1055.013
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1NTFS Transaction API Check
Expected signal: Sysmon Event ID 1: PowerShell execution. The API check itself generates no injection telemetry — it only verifies API availability.
- Test 2Kernel Transaction Manager Log Verification
Expected signal: Sysmon Event ID 1: PowerShell querying event log configuration. No security event generated — this is a configuration check.
- Test 3Process Doppelganging Detection via Hollowing Artifacts
Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. The parent-child anomaly (notepad from PowerShell) triggers Process Hollowing detections that also cover Doppelganging.
References (5)
- https://attack.mitre.org/techniques/T1055/013/
- https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
- https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/
- https://msdn.microsoft.com/library/windows/desktop/bb968806.aspx
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.013/T1055.013.md
Unlock Pro Content
Get the full detection package for T1055.013 including response playbook, investigation guide, and atomic red team tests.