Detect Process Doppelganging in IBM QRadar
Adversaries may inject malicious code into process via process doppelganging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelganging abuses Windows Transactional NTFS (TxF) to perform a fileless variation of process injection. The technique involves four steps: Transact (create a TxF transaction and overwrite a legitimate executable with malicious code), Load (create a shared section from the modified file), Rollback (undo the file changes, removing malicious code from disk), and Animate (create a process from the tainted memory section). This evades detection because the malicious code never exists on disk in its final form and the technique avoids highly-monitored API functions like NtUnmapViewOfSection.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.013 Process Doppelgänging
- Canonical reference
- https://attack.mitre.org/techniques/T1055/013/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
sourceip AS SourceIP,
username AS Username,
"Process Name" AS ProcessName,
"Parent Process Name" AS ParentProcessName,
"Command" AS CommandLine,
LOGSOURCENAME(logsourceid) AS LogSource,
CATEGORYNAME(category) AS EventCategory
FROM events
WHERE LOGSOURCETYPEID IN (12, 433)
AND LAST 24 HOURS
AND (
LOWER("Command") ILIKE '%createfiletransacted%'
OR LOWER("Command") ILIKE '%ntcreatesection%'
OR LOWER("Command") ILIKE '%rollbacktransaction%'
OR LOWER("Command") ILIKE '%ntcreateprocessex%'
OR (
LOWER("Process Name") IN ('svchost.exe', 'explorer.exe', 'notepad.exe', 'cmd.exe')
AND LOWER("Parent Process Name") NOT IN (
'services.exe', 'svchost.exe', 'winlogon.exe',
'userinit.exe', 'wininit.exe', 'system'
)
)
)
ORDER BY devicetime DESCQRadar AQL query detecting Process Doppelganging via Windows Security (LOGSOURCETYPEID 12) and Sysmon (LOGSOURCETYPEID 433) event sources. Identifies TxF API references in command-line fields and anomalous parent-child relationships for commonly doppelganged Windows system binaries. Adjust LOGSOURCETYPEID values to match your QRadar log source configuration.
Data Sources
Required Tables
False Positives & Tuning
- Third-party AV or EDR agents that create child processes of svchost.exe or explorer.exe during on-access scanning or remediation workflows
- Developers running test harnesses that reference TxF API function names as string literals or test parameters in debug builds
- Enterprise RMM tools (ConnectWise, Kaseya) that execute system binaries via their own agent parent processes
Other platforms for T1055.013
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1NTFS Transaction API Check
Expected signal: Sysmon Event ID 1: PowerShell execution. The API check itself generates no injection telemetry — it only verifies API availability.
- Test 2Kernel Transaction Manager Log Verification
Expected signal: Sysmon Event ID 1: PowerShell querying event log configuration. No security event generated — this is a configuration check.
- Test 3Process Doppelganging Detection via Hollowing Artifacts
Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. The parent-child anomaly (notepad from PowerShell) triggers Process Hollowing detections that also cover Doppelganging.
References (5)
- https://attack.mitre.org/techniques/T1055/013/
- https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
- https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/
- https://msdn.microsoft.com/library/windows/desktop/bb968806.aspx
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.013/T1055.013.md
Unlock Pro Content
Get the full detection package for T1055.013 including response playbook, investigation guide, and atomic red team tests.