Adversaries may use Process Doppelganging to inject malicious code into legitimate processes by manipulating NTFS transaction APIs, allowing them to execute payloads before the process is fully created. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistence and execution tactics that evade traditional detection methods.
KQL Query
// Enter a reference list of trusted processes
let TrustedProcessList = dynamic (["c:\\windows\\system32\\svchost.exe","c:\\windows\\system32\\lsass.exe","c:\\windows\\servicing\\TrustedInstaller.exe","c:\\windows\\system32\\poqexec.exe","TiWorker.exe","C:\\Windows\\System32\\inetsrv\\appcmd.exe","C:\\Windows\\System32\\inetsrv\\InetMgr.exe","C:\\Windows\\System32\\wsmprovhost.exe","C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Enterprise\\Common7\\IDE\\devenv.exe"]);
SecurityEvent
| where EventID == 4985 and not (ProcessName has_any (TrustedProcessList)) and SubjectLogonId !="0x3e7"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ProcessName, SubjectUserName
id: 97ff9459-dade-404a-b90e-d93b9acde1a4
name: Potential Process Doppelganging
description: |
'This query detects Process Doppelganging, a technique that calls several APIs related to NTFS transactions which allow to substitute the PE content before the process is even created.
Ref: https://attack.mitre.org/techniques/T1055/013/'
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
tactics:
- DefenseEvasion
relevantTechniques:
- T1055.013
query: |
// Enter a reference list of trusted processes
let TrustedProcessList = dynamic (["c:\\windows\\system32\\svchost.exe","c:\\windows\\system32\\lsass.exe","c:\\windows\\servicing\\TrustedInstaller.exe","c:\\windows\\system32\\poqexec.exe","TiWorker.exe","C:\\Windows\\System32\\inetsrv\\appcmd.exe","C:\\Windows\\System32\\inetsrv\\InetMgr.exe","C:\\Windows\\System32\\wsmprovhost.exe","C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Enterprise\\Common7\\IDE\\devenv.exe"]);
SecurityEvent
| where EventID == 4985 and not (ProcessName has_any (TrustedProcessList)) and SubjectLogonId !="0x3e7"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ProcessName, SubjectUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: SubjectUserName
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Computer
- entityType: Process
fieldMappings:
- identifier: CommandLine
columnName: ProcessName
version: 1.0.0
kind: Scheduled
| Sentinel Table | Notes |
|---|---|
SecurityEvent | Ensure this data connector is enabled |
Scenario: Legitimate Use of fsutil for File System Maintenance
Description: An admin is using fsutil to perform disk defragmentation or file system checks, which may trigger NTFS transaction-related API calls.
Filter/Exclusion: Exclude processes where the command line contains fsutil or defrag.
Scenario: Scheduled Job Running a Trusted Executable
Description: A scheduled task is executing a known trusted application (e.g., schtasks.exe, sqlservr.exe, or vssadmin.exe) that may inadvertently invoke NTFS transaction APIs.
Filter/Exclusion: Exclude processes with parent process IDs matching known system or trusted service processes (e.g., services.exe, svchost.exe).
Scenario: Antivirus or Endpoint Protection Scanning
Description: An endpoint protection tool (e.g., Microsoft Defender, CrowdStrike, or Symantec) is performing a full system scan, which may involve NTFS operations that trigger the rule.
Filter/Exclusion: Exclude processes with names like mpsvc.exe, mpengine.exe, or Mcshield.exe.
Scenario: System File Check (sfc /scannow)
Description: The system is running sfc /scannow to repair corrupted system files, which may involve NTFS transaction APIs.
Filter/Exclusion: Exclude processes where the command line contains sfc or SystemFileChecker.
Scenario: PowerShell Script Performing File System Operations
Description: A PowerShell script is performing file system operations (e.g., using Get-ChildItem, Copy-Item, or Move-Item) that may trigger NTFS transaction-related API calls.
Filter/Exclusion: Exclude processes with powershell.exe in the command line and