Security News > 2021 > June > Researchers Uncover 'Process Ghosting' — A New Malware Evasion Technique
Process Ghosting expands on previously documented endpoint bypass methods such as Process Doppelgänging and Process Herpaderping, thereby enabling the veiled execution of malicious code that may evade anti-malware defenses and detection.
Process Doppelgänging, analogous to Process Hollowing, involves injecting arbitrary code in the address space of a legitimate application's live process that can then be executed from the trusted service.
Process Herpaderping, first detailed last October, describes a method to obscure the behavior of a running process by modifying the executable on disk after the image has been mapped in memory.
The evasion works because of "a gap between when a process is created and when security products are notified of its creation," giving malware developers a window to tamper with the executable before security products can scan it.
Microsoft, for its part, has since released an updated version of its Sysinternals Suite earlier this January with an improved System Monitor utility to help detect Process Herpaderping and Process Hollowing attacks.
As a result, Sysmon versions 13.00 can now generate and log "Event ID 25" when a piece of malware tampers with a legitimate process and if a process image is changed from a different process, with Microsoft noting that the event is triggered "When the mapped image of a process doesn't match the on-disk image file, or the image file is locked for exclusive access."