T1055.013 Splunk · SPL

Detect Process Doppelganging in Splunk

Adversaries may inject malicious code into process via process doppelganging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelganging abuses Windows Transactional NTFS (TxF) to perform a fileless variation of process injection. The technique involves four steps: Transact (create a TxF transaction and overwrite a legitimate executable with malicious code), Load (create a shared section from the modified file), Rollback (undo the file changes, removing malicious code from disk), and Animate (create a process from the tainted memory section). This evades detection because the malicious code never exists on disk in its final form and the technique avoids highly-monitored API functions like NtUnmapViewOfSection.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.013 Process Doppelgänging
Canonical reference
https://attack.mitre.org/techniques/T1055/013/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ImageName=mvindex(split(Image, "\\"), -1)
| eval ParentName=mvindex(split(ParentImage, "\\"), -1)
// Look for processes with image hash mismatches or unusual characteristics
| eval SuspiciousCreation=case(
    ImageName="svchost.exe" AND NOT ParentImage="*\\services.exe", "HIGH - svchost anomaly",
    ImageName="explorer.exe" AND NOT (ParentImage="*\\winlogon.exe" OR ParentImage="*\\userinit.exe"), "HIGH - explorer anomaly",
    match(CommandLine, "(?i)(createfiletransacted|ntcreatesection|rollbacktransaction)"), "CRITICAL - TxF API in commandline",
    1=1, "LOW"
)
| where SuspiciousCreation!="LOW"
// Additional: look for kernel transaction manager events
| append [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Kernel-Transaction-Manager/Operational" EventCode IN (51, 52, 53, 54)
| eval SuspiciousCreation="MEDIUM - NTFS Transaction activity detected"
| table _time, host, SuspiciousCreation, EventCode]
| table _time, host, User, ParentImage, Image, CommandLine, Hashes, SuspiciousCreation
| sort - _time
critical severity medium confidence

Detects Process Doppelganging using multiple signals: (1) Sysmon process creation events with parent-child anomalies similar to Process Hollowing, (2) TxF API references in command lines, and (3) Windows Kernel Transaction Manager operational events indicating NTFS transaction activity. Also monitors for kernel transaction events (Event IDs 51-54) that may indicate TxF abuse.

Data Sources

Process: Process CreationSysmon Event ID 1Windows Kernel Transaction Manager

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate TxF usage by Windows Update components
  • Installer frameworks using transactional file operations
  • Database applications with NTFS transaction support
  • Backup software using TxF for consistent file copies
Download portable Sigma rule (.yml)

Other platforms for T1055.013

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1NTFS Transaction API Check

    Expected signal: Sysmon Event ID 1: PowerShell execution. The API check itself generates no injection telemetry — it only verifies API availability.

  2. Test 2Kernel Transaction Manager Log Verification

    Expected signal: Sysmon Event ID 1: PowerShell querying event log configuration. No security event generated — this is a configuration check.

  3. Test 3Process Doppelganging Detection via Hollowing Artifacts

    Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. The parent-child anomaly (notepad from PowerShell) triggers Process Hollowing detections that also cover Doppelganging.

Last updated: 2026-04-16 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1055.013 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.014VDSO HijackingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.012Process HollowingT1055.003Thread Execution HijackingT1070.004File DeletionT1036Masquerading

Same Tactic: Defense Evasion

Popular Detections