INJ-DOPPELGANGINGDefense Evasion

Process Doppelgänging

Use transacted file APIs to overlay attacker image during process creation — final image differs from on-disk file.

§ Where this technique fits

INJ-DOPPELGANGING is catalogued under the Defense Evasion tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

Process doppelgänging → spawn signed image with attacker bytes
Use NTFS transactional file APIs to overlay an attacker image during process creation. The final mapped process differs from the on-disk file — AV sees only the legit signed image at scan time.
step 2 / 6

§ What commonly comes next

01
Process Hollowing (T1055.012)
INJ-PROCESS-HOLLOWING · Defense Evasion
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Process doppelgänging → spawn signed image with attacker bytes

§ What commonly comes next