Process Doppelgänging (T1186)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Process Doppelgänging

Associated Tactics

  • Defense Evasion

Defense Evasion (TA0005)

The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

View on ATT&CK

Procedure Examples

Description Source(s)
Microsoft. (n.d.). Transactional NTFS (TxF). Retrieved December 20, 2017. Microsoft TxF
Microsoft. (n.d.). Basic TxF Concepts. Retrieved December 20, 2017. Microsoft Basic TxF Concepts
Microsoft. (n.d.). When to Use Transactional NTFS. Retrieved December 20, 2017. Microsoft Where to use TxF
Liberman, T. & Kogan, E. (2017, December 7). Lost in Transaction: Process Doppelgänging. Retrieved December 20, 2017. BlackHat Process Doppelgänging Dec 2017
hasherezade. (2017, December 18). Process Doppelgänging – a new way to impersonate a process. Retrieved December 20, 2017. hasherezade Process Doppelgänging Dec 2017
Microsoft. (n.d.). PsSetCreateProcessNotifyRoutine routine. Retrieved December 20, 2017. Microsoft PsSetCreateProcessNotifyRoutine routine