Open in app

Sign in

Write

Sign in

Advanced Endpoint Hunting: Detecting Process Doppelgänging

Zer0rigin
3 min readMar 4, 2024

Doppelgängers gonna dopplegäng…..

MITRE ATT&CK ID: T1055.013 Process Injection: Process Doppelgänging

Objective: Emulate and detect process doppelgänging injection technique

Task 1. Emulate and detect Process Doppelgänging

Process Doppelgänging Script: Start-Eidolon.ps1(https://github.com/FuzzySecurity/PowerShell-Suite/blame/master/Start-Eidolon.ps1)

Start-Eidolon.ps1

Detection tool: PE-sieve — According to its github, PE-sieve is a tool that helps to detect malware running on the system, as well as to collect the potentially malicious material for further analysis. Recognizes and dumps variety of implants within the scanned process: replaced/injected PEs, shellcodes, hooks, and other in-memory patches.
Detects inline hooks, Process Hollowing, Process Doppelgänging, Reflective DLL Injection, etc. (https://github.com/hasherezade/pe-sieve)

Begin in Powershell as administrator and the execution policy bypass option is run. Then the eidolon module is imported and run with the target file test.txt which is used to conceal Mimikatz. For more info about this powerful tool check out the official github. (https://github.com/ParrotSec/mimikatz)

Emulation of Process Doppelgänging by spawning Mimikatz as test.txt.

Check in Process Hacker 2 or Task Manager for the PID which is shown as 2736. This will give us the target PID to use with PE-sieve64.

Task manager used to determine target PID.

As seen below there is a mark for the PID as being suspicious because one of the module files cannot be read. Then at the bottom once the scan is complete there is a file path showing the output for the results. There is also a summary of the scan showing an implanted module / implanted process execution.

PE-sieve64 executable run to scan suspicious process seen in task manager.
PE-sieve64 results with summary and file path with results.

Navigate to the output file from PE-sieve64 at the file path shown in the scan results. Then open PEStudio with Powershell or in the Tools folder to review the test.txt file. Review of the file in PEStudio indicates the file is an executable and correctly lists it as Mimikatz.

Folder with scan results.
The test.txt file shown will be reviewed with PEStudio.
Oooooooh, that’s not a text file, that’s the Mimikatz!

Task 2. Use API Monitor to hunt for the uncommon API call used by the Process Doppelgänging technique

Begin by starting API Monitor x64. Search for and select the CreateTransaction API call. Now the Eidolon script is run and API monitor shows results for the uncommon CreateTransaction API call.

API monitor used to monitor the uncommon CreateTransaction API call.
Starting Mimikatz as test.txt with the Eidolon script.
API monitor discovers the uncommon API call CreateTransaction.

Referencing the MITRE ATT&CK framework is always helpful. One of the suggestions is the method used above.

https://attack.mitre.org/techniques/T1055/013/

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Threat Hunting
Process Injection
Cybersecurity
Mitre Attack
Mimikatz

Zer0rigin
Zer0rigin

Written by Zer0rigin

13 Followers
5 Following

SOC Incident Repsonse Analyst. Adamant about privacy and security. Fascinated by technology ever since a Super Nintendo controller graced my hand.

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams