Process doppelgänging → spawn signed image with attacker bytes

§ Context

Assumed environment: foothold on Windows pre-1809 or modern build that doesn't fully neuter transactional NTFS. AV/EDR relies on on-disk scanning more than runtime memory analysis.

§ Steps

1. 01
   Foothold shellInitial Access

   T1078— Valid Accounts
2. 02
   Process spawns with attacker codeExecution

   T1059— Command and Scripting Interpreter
3. 03
   Rollback transaction — on-disk file unchangedDefense Evasion

   T1027— Obfuscated Files or Information
4. 04
   NtCreateProcessEx from sectionDefense Evasion

   INJ-PROCESS-HOLLOWING— Process Hollowing (T1055.012)
5. 05
   Overlay attacker image within transactionDefense Evasion

   INJ-DOPPELGANGING— Process Doppelgänging
6. 06
   Open transacted fileDefense Evasion

   INJ-DOPPELGANGING— Process Doppelgänging

§ References

• T1078Valid Accounts
• T1059Command and Scripting Interpreter
• T1027Obfuscated Files or Information

§ Frequently asked

What is the "Process doppelgänging → spawn signed image with attacker bytes" attack path?

Use NTFS transactional file APIs to overlay an attacker image during process creation. The final mapped process differs from the on-disk file — AV sees only the legit signed image at scan time. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Foothold shell (T1078) — a initial access primitive. Assumed environment: foothold on Windows pre-1809 or modern build that doesn't fully neuter transactional NTFS.

What is the final impact of this kill-chain?

The final step lands on Open transacted file (INJ-DOPPELGANGING), which falls under Defense Evasion. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques2

  LogoFAIL → UEFI bootkit → persistent ring-0

  Drop a malformed JPG/PNG/BMP into the EFI partition's boot logo path. Vulnerable vendor UEFI parses it pre-OS, executes attacker code before SecureBoot's verifier — install a bootkit that survives wipe + reinstall.

• Shared techniques2

  nf_tables UAF → kernel R/W → root

  CVE-2024-1086-class nf_tables UAF reachable from a user namespace. Win the race with userfaultfd to land an attacker object in the freed slot, build a kernel R/W primitive, overwrite the current task's cred struct.

• Shared techniques2

  io_uring UAF → modprobe_path overwrite → root

  Use an io_uring UAF to land arbitrary kernel write, repoint /proc/sys/kernel/modprobe to an attacker binary, then trigger a kernel auto-modprobe — runs the binary as root.

• Shared techniques2

  Process hollowing → run beacon in svchost shell

  Spawn svchost.exe suspended, unmap its image, write attacker PE into the same address space, resume — the process keeps a legit-looking PEB and command line but executes beacon code.

• Shared techniques2

  BYOVD → kernel-level disable of EDR callbacks

  From local admin, load a signed-but-vulnerable driver. Use its kernel primitive to walk the EDR's PsSetCreateProcessNotifyRoutine entries and unlink them — EDR stops receiving events while still 'running'.

• Shared techniques2

  F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB

  Connection-header smuggle bypasses iControl REST auth, command-injection RCE as root. Load balancers see all traffic — recover TLS keys, session cookies, internal SSO config.