T1055.013 Microsoft Sentinel · KQL

Detect Process Doppelganging in Microsoft Sentinel

Adversaries may inject malicious code into process via process doppelganging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelganging abuses Windows Transactional NTFS (TxF) to perform a fileless variation of process injection. The technique involves four steps: Transact (create a TxF transaction and overwrite a legitimate executable with malicious code), Load (create a shared section from the modified file), Rollback (undo the file changes, removing malicious code from disk), and Animate (create a process from the tainted memory section). This evades detection because the malicious code never exists on disk in its final form and the technique avoids highly-monitored API functions like NtUnmapViewOfSection.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.013 Process Doppelgänging
Canonical reference
https://attack.mitre.org/techniques/T1055/013/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// Detect Process Doppelganging via NTFS Transaction API usage
// Key APIs: CreateFileTransacted, NtCreateSection, RollbackTransaction, NtCreateProcessEx
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("CreateFileTransacted", "NtCreateSection", "RollbackTransaction", "NtCreateProcessEx")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc
| union (
    // Detect suspicious process creation where the image file doesn't match expected
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName in~ ("svchost.exe", "explorer.exe", "notepad.exe", "cmd.exe")
    | where InitiatingProcessFileName !in~ ("services.exe", "svchost.exe", "explorer.exe", "winlogon.exe", "userinit.exe", "System")
    | where ProcessVersionInfoProductName == "" or isempty(ProcessVersionInfoProductName)
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, ProcessVersionInfoProductName
)
| sort by Timestamp desc
critical severity medium confidence

Detects Process Doppelganging through two methods: (1) monitoring for NTFS Transaction API function names in command lines and loaded modules, and (2) identifying processes that appear as legitimate system binaries but have missing or mismatched version information (indicating the process image was replaced via TxF transaction). Process Doppelganging is difficult to detect because it abuses legitimate NTFS transaction APIs and rolls back file changes before creation completes.

Data Sources

Process: Process CreationProcess: OS API ExecutionFile: File MetadataMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Legitimate applications using NTFS Transactions for atomic file operations (rare in modern software)
  • Windows Update and installer processes using transactional file operations
  • Database applications using TxF for data integrity
  • Enterprise backup software using NTFS transactions for consistent snapshots
Download portable Sigma rule (.yml)

Other platforms for T1055.013

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1NTFS Transaction API Check

    Expected signal: Sysmon Event ID 1: PowerShell execution. The API check itself generates no injection telemetry — it only verifies API availability.

  2. Test 2Kernel Transaction Manager Log Verification

    Expected signal: Sysmon Event ID 1: PowerShell querying event log configuration. No security event generated — this is a configuration check.

  3. Test 3Process Doppelganging Detection via Hollowing Artifacts

    Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. The parent-child anomaly (notepad from PowerShell) triggers Process Hollowing detections that also cover Doppelganging.

Last updated: 2026-04-16 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1055.013 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.014VDSO HijackingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.012Process HollowingT1055.003Thread Execution HijackingT1070.004File DeletionT1036Masquerading

Same Tactic: Defense Evasion

Popular Detections