Summary
The disclosure of this evasion technique has the full attention of the Carbon Black Threat Analysis Unit (TAU) and we are researching how this will affect our products, if at all. We are in the process of recreating their proof of concept so that we can better understand the underlying facets and test it against our products.
After reviewing the public presentations, we’ve learned that the Process Doppelganging technique uses ntoskrnl to create a transaction subsequently opening a legitimate file into that transaction (for attack purposes the legitimate file would most likely be a signed Microsoft binary).
A malicious payload (in the form of an executable) is then written to that transaction record using the standard API calls (in their POC the malicious payload was encrypted on disk, opened and decrypted by their loader and then written to the transaction record). Their technique then creates a section (via NTCreateSession) for the malicious code (preserving the malicious code), and rolls back the changes to the original legitimate file (the previously created section will not be altered and still contains the malicious code). Their technique then creates a process (and a thread) with a handle to this section, which will appear to be the legitimate process (backed up by legitimate code on disk).
Ultimately this technique is a process that uses the legit Window Loader to run malicious code. As for right now, until we can determine how to best detect this technique, we are suggesting that practitioners focus on the final payload being run. The Cb suite of products will be able to detect the final payload and their associated actions the same as if an attacker used rundll32 or PowerShell to execute the malicious code. Obviously, we want to try and focus on detecting suspicious actions as soon as possible (and we will work to ensure we can detect this technique), but this exploit was developed to evade traditional AV that hooks and scans files (with signatures) at different points prior to the code actually being loaded or executed.
TAU has been working closely with the different product engineering groups today to recreate this technique and test. As we finalize our test we will update this page with relevant findings and IOCs.
