GET /api/techniques/171/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 171,
"key": "process-ghosting",
"unprotect_id": "U1232",
"name": "Process Ghosting",
"description": "Process Ghosting is a technique used to bypass detection by manipulating the executable image when a process is loaded. \r\n\r\nWindows attempts to prevent mapped executables from being modified. Once a file is mapped into an image section, attempts to open it with `FILE_WRITE_DATA` (to modify it) will fail with `ERROR_SHARING_VIOLATION`. Deletion attempts via `FILE_DELETE_ON_CLOSE`/`FILE_FLAG_DELETE_ON_CLOSE` fail with `ERROR_SHARING_VIOLATION`. `NtSetInformationFile`(`FileDispositionInformation`) requires the `DELETE` access right. Even though the `DELETE` access right is granted to files mapped to image sections, `NtSetInformationFile`(`FileDispositionInformation`) fails with `STATUS_CANNOT_DELETE`. Deletion attempts via `FILE_SUPERCEDE`/`CREATE_ALWAYS` fail with `ACCESS_DENIED`. \r\n\r\nAn important note, however, is that this deletion restriction only comes into effect once the executable is mapped into an image section. This means that it is possible to create a file, mark it for deletion, map it to an image section, close the file handle to complete the deletion, then create a process from the now-fileless section. This is Process Ghosting.\r\n\r\nThe attack flow is:\r\n\r\n1. Create a file\r\n2. Put the file into a delete-pending state using `NtSetInformationFile`(FileDispositionInformation). Note: Attempting to use `FILE_DELETE_ON_CLOSE` instead will not delete the file.\r\n3. Write the payload executable to the file. The content isn’t persisted because the file is already delete-pending. The delete-pending state also blocks external file-open attempts.\r\n4. Create an image section for the file.\r\n5. Close the delete-pending handle, deleting the file.\r\n6. Create a process using the image section.\r\n7. Assign process arguments and environment variables.\r\n8. Create a thread to execute in the process.",
"resources": "https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack",
"creation_date": "2021-06-16T11:50:05Z",
"tags": "",
"modification_date": "2023-10-04T10:44:44.110000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
}
