Good news ! Hackbusters community is waiting for you !  https://discuss.hackbusters.com
KnowBe4 has been running the HackBusters site for a few years now, providing you with trending IT security news. We are expanding it and have launched a new exciting online community! The forum is divided into four main topics or categories: Social Engineering, Ransomware, Phishing and Security Awareness Training. You are invited to be one of the first to join us at: https://discuss.hackbusters.com.

"Process Doppelgänging" Attack Works on All Windows Versions

Doppleganging

Today, at the Black Hat Europe 2017 security conference in London, two security researchers from cyber-security firm enSilo have described a new code injection technique called "Process Doppelgänging."

This new attack works on all Windows versions and researchers say it bypasses most of today's major security products.

Process Doppelgänging is somewhat similar to another technique called Process Hollowing, but with a twist, as it utilizes the Windows mechanism of NTFS Transactions.

Doppelgänging works by utilizing two key distinct features together to mask the loading of a modified executable. By using NTFS transactions, we make changes to an executable file that will never actually be committed to disk. We will then use undocumented implementation details of the process loading mechanism to load our modified executable, but not before rolling back the changes we made to the executable. The result of this procedure is creating a process from the modified executable, while...(continued)

View All Trending Stories