We’re migrating product documentation to docs.vmware.com, starting with Carbon Black Cloud. Learn more.

Process Doppelganger - Product Status Update

Process Doppelganger - Product Status Update

Summary

This purpose of this post is to provide Cb customers with product status updates involving the Process Doppelganger technique across Cb Defense, Cb Protection and Cb Response.

The SRC (Security Response Center) team at Carbon Black has been closely working with the Product Management, Engineering and Cb Threat Analysis Unit (TAU) teams to understand the scope, impact and remediation steps across the Cb product suite. Please view the relevant product sections below for more information.

For information on Process Doppelganging, see TAU-TIN.

Cb Defense

The Cb Defense Product Management and engineering teams have identified necessary product code changes, that once implemented will allow Cb Defense to identify the doppelganger technique. The resources to make these code changes are being identified and scheduled into different planning increments based off of ongoing development needs. Once the updates have been implemented and tested, they will be released.

Cb Protection

We are working on an agent level change to identify NTFS transactions; and a server level change to include a Rapid Config to report or block transacted MMap Reads, Executions or Script Executions.

These fixes will be in Cb Protection 8.0 P7. Customers will have to upgrade their Cb Protection servers and agents to detect and/or prevent this technique. Cb Protection 8.0 P7 GA date is currently TBD.

Cb Response

The Cb Response Product Management and Engineering teams have identified necessary product code changes, that once implemented, will allow Cb Response to identify the doppelganger technique. We are prioritizing this work against ongoing development needs and will be scheduling these code changes into upcoming planning increments. Once the updates have been implemented and tested, they will be released.

Future Updates

We will modify this post as updates become available and encourage you to follow this post. To receive the most recent information via email notification, please check ‘Inbox’ for this post as indicated in the following example screenshot:

Labels (3)
Comments

Is there an update on this post? Is there an ETA when are you planning to implement the code change?

Cb Response

The Cb Response Product Management and Engineering teams have identified necessary product code changes, that once implemented, will allow Cb Response to identify the doppelganger technique. We are prioritizing this work against ongoing development needs and will be scheduling these code changes into upcoming planning increments. Once the updates have been implemented and tested, they will be released.

can you name a target version and date please.

it's been 'identified' since december or was it jan...specifics not weasel words thank you.

If only customers paid money like you ignored feature requests for injections in the wild =)....

specifics not weasel words or customer mushroom management...

Moreover, can you confirm it's a priority to close gaps and implement new injection techniques errr faster???

https://community.carbonblack.com/docs/DOC-12766#comment-13643

a) this.

b)CBER: does the cross proc remote thread bit cover CreateTimerQueueTimer  injection?

c) [setwindowlong injection]

https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html   https://www.crowdstrike.com/blog/through-window-creative-code-invocation/

d) hooking of interesting functions [guessing that's in the 'never to implement ' bucket ] .e.g keylogging.

SynAck targeted ransomware uses the Doppelgänging technique:

https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/

time to implement new injection techniques in malware - 1/2 day.

time to implement in cb - 1/2 year + 'no comment, no eta'

and so?

Any update on this?
https://blog.malwarebytes.com/threat-analysis/2018/08/osiris-using-process-doppelganging/

Can Cb recommend a CbR watchlist based on this type of doppelganging?

Per the below note in the article, it seems as if a CB Response identifier was in the works at some point.  Has this method of identifying the doppelganger technique been introduced into CB Response yet?  I've searched through the CB Response Threat Reports and do not find anything.

"The Cb Response Product Management and Engineering teams have identified necessary product code changes, that once implemented, will allow Cb Response to identify the doppelganger technique." 

 

 

Article Information
Author:
Creation Date:
‎01-19-2018
Views:
2039
Contributors