It is our understanding an attacker would have to first gain access to a system to run the Process Ghosting attack, and they’d run that using a shell command script (a malware-less attack using a legitimate resource). However, the question is if they have that level of access, what is the purpose of this attack other than another layer of persistence? The bottom line is that, in this scenario, it is likely the communication between attacker and victim involved a non-reputable, suspicious IP. Or at least at some point in the overall attack campaign, the attacker will either come from, download additional files from, or try to exfiltrate data to a non-reputable, suspicious IP. This type of exploit along with several other malware-free techniques underscores the challenge in thinking that traditional cybersecurity products will be an effective defense. To effectively defend an attack that leverages Process Ghosting you will need solutions that deliver a Zero-Trust architecture. Process Ghosting is possible. Using it in an effective attack path or vector is unlikely.
Let the race begin.
Ready to get protected?
INTRUSION Shield is inexpensive enough to be affordable to every business, large or small. For a small fee per seat, per month – with no annual contract and no hardware to buy – you can get immediate protection.
Get your free report
Simply enter your URL and get a detailed report emailed to you.