title: Process Doppelganging (T1055.013)
id: df00tech-t1055-013
status: experimental
description: "Adversaries may inject malicious code into process via process doppelganging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelganging abuses Windows Transactional NTFS (TxF) to perform a fileless variation of process injection. The technique involves four steps: Transact (create a TxF transaction and overwrite a legitimate executable with malicious code), Load (create a shared section from the modified file), Rollback (undo the file changes, removing malicious code from disk), and Animate (create a process from the tainted memory section). This evades detection because the malicious code never exists on disk in its final form and the technique avoids highly-monitored API functions like NtUnmapViewOfSection."
references:
  - https://attack.mitre.org/techniques/T1055/013/
  - https://df00tech.com/detections/T1055.013
author: df00tech
date: 2026/04/16
tags:
  - attack.t1055.013
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate applications using NTFS Transactions for atomic file operations (rare in modern software)
  - Windows Update and installer processes using transactional file operations
  - Database applications using TxF for data integrity
  - Enterprise backup software using NTFS transactions for consistent snapshots
level: critical