The Windows Operating System has inconsistencies in how it determines process image FILE_OBJECT locations, which impacts non-EDR (Endpoint Detection and Response) Endpoint Security Solution’s (such as Microsoft Defender Realtime Protection), ability to detect the correct binaries loaded in malicious processes.
This inconsistency has led McAfee’s Advanced Threat Research to develop a new post-exploitation evasion technique called “Process Reimaging”. This technique is equivalent in impact to Process Hollowing or Process Doppelganging within the Mitre Attack Defense Evasion Category; however, it is , much easier to execute as it requires no code injection.
While this bypass has been successfully tested against current versions of Microsoft Windows and Defender, it is highly likely that the bypass will work on any endpoint security vendor or product implementing the APIs discussed below.
action: global title: Defense evasion via process reimaging id: 7fa4f550-850e-4117-b543-428c86ebb849 description: Detects process reimaging defense evasion technique status: experimental author: Alexey Balandin, oscd.community references: - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/ tags: - attack.defense_evasion date: 2019/10/25 detection: condition: all of them falsepositives: - unknown level: high --- logsource: product: windows service: sysmon detection: selection1: category: process_creation fields: - Image - OriginalFileName - ParentProcessGuid new_fields: - ImageFileName --- logsource: product: windows service: sysmon detection: selection2: EventID: 11 fields: - ProcessGuid - TargetFilename