Detect Process Doppelganging in Sumo Logic CSE
Adversaries may inject malicious code into process via process doppelganging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelganging abuses Windows Transactional NTFS (TxF) to perform a fileless variation of process injection. The technique involves four steps: Transact (create a TxF transaction and overwrite a legitimate executable with malicious code), Load (create a shared section from the modified file), Rollback (undo the file changes, removing malicious code from disk), and Animate (create a process from the tainted memory section). This evades detection because the malicious code never exists on disk in its final form and the technique avoids highly-monitored API functions like NtUnmapViewOfSection.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.013 Process Doppelgänging
- Canonical reference
- https://attack.mitre.org/techniques/T1055/013/
Sumo Detection Query
_sourceCategory="windows/sysmon" EventCode=1
| parse regex field=Image "\\\\(?<ImageName>[^\\\\]+)$" nodrop
| parse regex field=ParentImage "\\\\(?<ParentImageName>[^\\\\]+)$" nodrop
| where EventCode = 1
| where (
matches(toLowerCase(CommandLine), "(?i).*(createfiletransacted|ntcreatesection|rollbacktransaction|ntcreateprocessex).*")
OR (
ImageName in ("svchost.exe", "explorer.exe", "notepad.exe", "cmd.exe")
AND !(ParentImageName in ("services.exe", "svchost.exe", "winlogon.exe", "userinit.exe", "wininit.exe"))
)
)
| eval Severity = if(
matches(toLowerCase(CommandLine), "(?i).*(createfiletransacted|ntcreatesection|rollbacktransaction|ntcreateprocessex).*"),
"CRITICAL",
"HIGH"
)
| fields _time, Computer, User, ParentImageName, ImageName, CommandLine, Hashes, Severity
| sort by _time descSumo Logic query against Windows Sysmon Process Create events (EventCode 1) detecting Process Doppelganging via TxF API strings in command-line arguments and anomalous parent-child process relationships. Regex parsing extracts binary names from full image paths for reliable matching.
Data Sources
Required Tables
False Positives & Tuning
- IT automation frameworks (Ansible, PowerShell DSC) that spawn cmd.exe or system utilities from orchestration agent parent processes
- Containerized Windows workloads where process parent chains differ from bare-metal deployments due to container runtime processes
- Security assessment tools or red team frameworks that legitimately reference TxF APIs during authorized testing activities
Other platforms for T1055.013
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1NTFS Transaction API Check
Expected signal: Sysmon Event ID 1: PowerShell execution. The API check itself generates no injection telemetry — it only verifies API availability.
- Test 2Kernel Transaction Manager Log Verification
Expected signal: Sysmon Event ID 1: PowerShell querying event log configuration. No security event generated — this is a configuration check.
- Test 3Process Doppelganging Detection via Hollowing Artifacts
Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. The parent-child anomaly (notepad from PowerShell) triggers Process Hollowing detections that also cover Doppelganging.
References (5)
- https://attack.mitre.org/techniques/T1055/013/
- https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
- https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/
- https://msdn.microsoft.com/library/windows/desktop/bb968806.aspx
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.013/T1055.013.md
Unlock Pro Content
Get the full detection package for T1055.013 including response playbook, investigation guide, and atomic red team tests.