Process Ghosting
This article describes a new executable image tampering attack similar to, but distinct from, Doppelgänging and Herpaderping. With this technique, an attacker can write a piece of malware to disk in such a way that it’s difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk. This technique does not involve code injection, process hollowing, or Transactional NTFS (TxF).
Research:
https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack
C# Code Snippet:
https://github.com/Wra7h/SharpGhosting
#edr #evasion #process #ghosting #csharp
This article describes a new executable image tampering attack similar to, but distinct from, Doppelgänging and Herpaderping. With this technique, an attacker can write a piece of malware to disk in such a way that it’s difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk. This technique does not involve code injection, process hollowing, or Transactional NTFS (TxF).
Research:
https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack
C# Code Snippet:
https://github.com/Wra7h/SharpGhosting
#edr #evasion #process #ghosting #csharp
🔥3
APT
Process Ghosting This article describes a new executable image tampering attack similar to, but distinct from, Doppelgänging and Herpaderping. With this technique, an attacker can write a piece of malware to disk in such a way that it’s difficult to scan…