Esc

Process Doppelgänging - T1055.013

(ATT&CK® Technique)

Definition

Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1055013["Process Doppelgänging"] --> |invokes| CreateProcess["Create Process"]; class T1055013 OffensiveTechniqueNode;
        class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
        click T1055013 href "/offensive-technique/attack/T1055.013/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess";             ExecutableAllowlisting["Executable Allowlisting"] -->
          | restricts | CreateProcess["Create Process"];

          ExecutableAllowlisting["Executable Allowlisting"] -.->
            | May Isolate | T1055013["Process Doppelgänging"] ;
          class ExecutableAllowlisting DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
          | restricts | CreateProcess["Create Process"];

          ExecutableDenylisting["Executable Denylisting"] -.->
            | May Isolate | T1055013["Process Doppelgänging"] ;
          class ExecutableDenylisting DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
          | restricts | CreateProcess["Create Process"];

          Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
            | May Isolate | T1055013["Process Doppelgänging"] ;
          class Hardware-basedProcessIsolation DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation";    SystemCallAnalysis["System Call Analysis"] -->
          | analyzes | CreateProcess["Create Process"];

          SystemCallAnalysis["System Call Analysis"] -.->
            | May Detect | T1055013["Process Doppelgänging"] ;
          class SystemCallAnalysis DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis";                                                MandatoryAccessControl["Mandatory Access Control"] -->
          | restricts | CreateProcess["Create Process"];

          MandatoryAccessControl["Mandatory Access Control"] -.->
            | May Isolate | T1055013["Process Doppelgänging"] ;
          class MandatoryAccessControl DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl";              ProcessSpawnAnalysis["Process Spawn Analysis"] -->
          | analyzes | CreateProcess["Create Process"];

          ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
            | May Detect | T1055013["Process Doppelgänging"] ;
          class ProcessSpawnAnalysis DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis";                SystemCallFiltering["System Call Filtering"] -->
          | filters | CreateProcess["Create Process"];

          SystemCallFiltering["System Call Filtering"] -.->
            | May Isolate | T1055013["Process Doppelgänging"] ;
          class SystemCallFiltering DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click SystemCallFiltering href "/technique/d3f:SystemCallFiltering";

json