Security researchers at Elastic Security have disclosed a new technique called “Process Ghosting,” which could allow an attacker to secretly run malicious code on a Windows machine undetected by security software.
This technique involves modifying a piece of malware to make it appear as though it was a regular file on disk, and it does not involve code injection, Process Hollowing, nor Transactional NTFS (TxF):
“With this technique, an attacker can write a piece of malware to disk in such a way that it’s difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk,” Elastic Security researcher Gabriel Landau said.
The new method, called Process Ghosting, enables the execution of arbitrary code without the knowledge of end-users and evading anti-malware defenses. It is similar to known endpoint bypass methods such as Process Doppelgänging and Process Herpaderping, but goes a step further.
Doppelgnging, analogous to Process Hollowing, is a process that injects arbitrary code into the address space in a live process which is then executed from a trusted service. Herpaderping is a technique to obscure the behavior of a process by modifying its executable after it’s been loaded into memory.
Whereas, Process Ghosting works by taking advantage of “a gap between when a process is created and when security products are notified of its creation” that allows attackers to tamper with an executable before it is scanned by security tools.
Unlike Doppelgngging and Herpaderping, this technique allows you to run executables marked for deletion – but technically not deleted yet. This works because Windows attempts to prevent modifying or deleting a mapped executable after it has been mapped into an image section.
“This means that it is possible to create a file, mark it for deletion, map it to an image section, close the file handle to complete the deletion, then create a process from the now-fileless section,” Landau explained. “This is Process Ghosting.”
The researchers presented a proof-of-concept attack where Windows Defender failed to open a malicious payload to scan it because the file is in a pending state. The payload was then deleted and Windows Defender then failed again, which allowed researchers to execute the payload unimpeded.
Security company Elastic Security reported the flaw in Windows to the Microsoft Security Response Center in May 2021, but the company stated the bug did not meet its “bar for servicing.”