Process Ghosting: Truth or a Race?

Intrusion Team
Jun 18, 2021

Is it true, is it a race, or does it matter?

In this blog:What you need to know about Process Ghosting, a new executable image tampering attack[1]. This week, Gabriel Landau of Elasticsearch presented a fascinating article centered around a new technique of “process ghosting” which theoretically and most likely temporarily can evade most signature-based anti-virus solutions. It differs from what many know of as Process Doppelgӓnging and Process Herpaderping that rely on code injection, process hollowing, or Transactional NTFS (TxF).Instead, an attacker using this technique can write a piece of malware to disk in such a way that it is difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk.

[1] What you need to know about Process Ghosting, a new executable image tampering attack | Elastic Blog

Mr. Landau demonstrates the attack and provides the support to prove that yes, it is true this attack should work in most cases and allow an attacker to gain control of a victim’s Windows computer.What should be worrisome to most is that Elasticresearch filed a bug report with Microsoft of their findings on May 6, 2021, and on May 10th were notified the issue does not meet the Microsoft Defender Security Research Team’s bar for servicing. It is possible Microsoft believes it can handle this attack like other file-less attacks as addressed in their Jan 24, 2018, Security article: Now you see me: Exposing Fileless malware[1].However, you would think it should not be assumed a bug discovered in 2021 would be mitigated by 2018 assumptions.At least not without argument.

[1] Now you see me: Exposing fileless malware | Microsoft Security Blog

Therefore, we believe it is a race between whether someone exploits Landau’s discovery and proves MS lagging, or MS sneaks in a security update in the very near future. Elasticsearch claims their Elastic Security solution would identify the attack but do not state it will prevent it. Surely other vendors will attempt to address it. The question is how concerned do you need to be?

It is our understanding an attacker would have to first gain access to a system to run the Process Ghosting attack, and they’d run that using a shell command script (a malware-less attack using a legitimate resource).However, the question is if they have that level of access, what is the purpose of this attack other than another layer of persistence?The bottom line is that, in this scenario, it is likely the communication between attacker and victim involved a non-reputable, suspicious IP. Or at least at some point in the overall attack campaign, the attacker will either come from, download additional files from, or try to exfiltrate data to a non-reputable, suspicious IP.This type of exploit along with several other malware-free techniques underscores the challenge in thinking that traditional cybersecurity products will be an effective defense. To effectively defend an attack that leverages Process Ghosting you will need solutions that deliver a Zero-Trust architecture. Process Ghosting is possible. Using it in an effective attack path or vector is unlikely.

Let the race begin.

Ready to get protected?

INTRUSION Shield is inexpensive enough to be affordable to every business, large or small. For a small fee per seat, per month – with no annual contract and no hardware to buy – you can get immediate protection.

Request a demo

See what INTRUSION can do for your company with risk-free demo.

Get Demo

Get your free report

Simply enter your URL and get a detailed report emailed to you.

Get Report

Resources that might interest you.

Get the insights cybercriminals don’t want you to know.