GET /api/techniques/146/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 146,
"key": "process-reimaging",
"unprotect_id": "U1210",
"name": "Process Reimaging",
"description": "Process Reimaging is a technique used to evade detection by endpoint security solutions. It is a variation of the Process Hollowing or Process Doppelganging techniques, which are used to execute arbitrary code in the context of another process.\r\n\r\nThe Windows operating system has inconsistencies in how it determines the locations of process image FILE_OBJECTs, which can impact the ability of endpoint security solutions, such as Microsoft Defender Realtime Protection, to accurately detect the correct binaries loaded in malicious processes. This inconsistency can be exploited using the Process Reimaging technique, which does not require code injection.",
"resources": "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass.html",
"creation_date": "2020-05-08T09:26:00Z",
"tags": "Process Reimaging,\r\nDetection evasion,\r\nEndpoint security solutions,\r\nProcess Hollowing,\r\nProcess Doppelganging,\r\nMitre Attack Defense Evasion Category,\r\nCode injection,",
"modification_date": "2023-10-04T10:43:54.431000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
}
