“Process Doppelgänging” Attack Works on All Windows Versions [source: bleepingcomputer]
by CIRT Team
Today, at the Black Hat Europe 2017 security conference in London, two security researchers from cyber-security firm enSilo have described a new code injection technique called “Process Doppelgänging.”
This new attack works on all Windows versions and researchers say it bypasses most of today’s major security products.
Process Doppelgänging is somewhat similar to another technique called Process Hollowing, but with a twist, as it utilizes the Windows mechanism of NTFS Transactions.
Process Doppelgänging bypasses most modern AVs
Researchers say malicious code that utilizes Process Doppelgänging is never saved to disk (fileless attack), which makes it invisible to all major security products.
Researchers sucessfully tested their attack on products from Kaspersky, Bitdefender, ESET, Symantec, McAfee, Windows Defender, AVG, Avast, Qihoo 360, and Panda. Furthermore, even advanced forensics tools such as Volatility will not detect it.
In their experiments, researchers used Process Doppelgänging to run Mimikatz, a known utility used for password-stealing operations, “in a stealthy way to avoid detection.”
For more, click here.