Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1055.013: Process Doppelgänging

Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.

Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. [1] To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. [2] To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. [3]

Although deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. [4]

Adversaries may abuse TxF to a perform a file-less variation of Process Injection. Similar to Process Hollowing, process doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelgänging's use of TxF also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext. [4]

Process Doppelgänging is implemented in 4 steps [4]:

* Transact – Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction. * Load – Create a shared section of memory and load the malicious executable. * Rollback – Undo changes to original executable, effectively removing malicious code from the file system. * Animate – Create a process from the tainted section of memory and initiate execution.

This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelgänging may evade detection from security products since the execution is masked under a legitimate process.

EnterpriseT1055.013Sub-techniqueObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Process Doppelgänging matters because it is a Windows process-injection variant designed to make malicious execution appear to come from a legitimate process while minimizing file-system residue. For leaders, the practical issue is not just malware execution; it is whether endpoint defenses and SOC workflows can recognize suspicious behavior when the executable on disk may look clean and the running process may look trusted.

Executive priority

Prioritize this as an endpoint resilience and incident-response readiness issue for Windows environments. ATT&CK links this technique to stealth and privilege-escalation tactics, but the official description notes it will likely not elevate privileges because the spawned process inherits the injecting process context. The business decision point is whether controls rely too heavily on process names, file reputation, or known malicious files, versus behavior-based endpoint prevention and investigation evidence. Its relationship to SynAck and Bazar also makes it relevant to ransomware and downloader/backdoor preparedness without implying current exposure.

Technical view

SOC and detection teams should validate Windows coverage for the parent Process Injection technique T1055 and this sub-technique T1055.013. The behavior abuses Transactional NTFS to alter an executable within a transaction, load code into memory, roll back the on-disk change, and execute from the resulting memory section. Because the technique may avoid highly monitored APIs associated with other injection methods, detections should not depend only on NtUnmapViewOfSection, VirtualProtectEx, or SetThreadContext. Use the related DET0544 detection strategy where available, and validate behavior-prevention controls mapped to M1040 against suspicious process, file, API, and endpoint activity patterns.

Likely telemetry

  • Windows endpoint process creation and parent-child process relationships
  • Endpoint events for executable file access, modification, rollback, or transaction-like file behavior where available
  • API or EDR behavioral telemetry involving Transactional NTFS usage and process/image creation
  • Memory section or image-load telemetry indicating execution not matching the committed file state on disk
  • Endpoint protection or EDR alerts for suspicious process behavior and process injection

Detection direction

  • Validate whether DET0544 or equivalent analytics are deployed and tuned for Windows systems where TxF behavior is observable.
  • Correlate process creation with file-system and memory/image-load evidence; avoid trusting process name or signed-looking path alone.
  • Account for the blind spot that Process Doppelgänging may avoid common process-hollowing APIs that some detections monitor heavily.
  • Tune for rare or suspicious Transactional NTFS behavior involving executable content, while allowing for legitimate software that may use transaction mechanisms.
  • Review coverage under the broader Process Injection technique T1055 so this sub-technique is not missed when detections are organized only by parent technique.

Mitigation priorities

  • Prioritize behavior prevention on endpoints as identified by M1040, especially controls that analyze process, file, API, and endpoint-event behavior rather than relying only on signatures.
  • Ensure Windows endpoint controls can block or alert on suspicious process-injection-like behavior even when the on-disk file appears benign after rollback.
  • Harden SOC playbooks so analysts collect process, memory, file, and endpoint behavioral evidence before assuming a legitimate process is safe.
  • Use this technique in control validation exercises for ransomware/downloader readiness because ATT&CK relates it to SynAck and Bazar.
  • Document detection and prevention evidence for audit or compliance discussions where endpoint monitoring and response capability must be demonstrated.
Analyst notes and limits

This is a Windows-only ATT&CK sub-technique of Process Injection. The official ATT&CK object provides strong behavioral detail but no official detection text. The most decision-useful relationships are DET0544 for detection strategy, M1040 for behavior prevention on endpoint, T1055 as the parent technique, and reported use by Leafminer, SynAck, and Bazar.

This take is based only on the supplied ATT&CK fields and relationships. It does not establish active exploitation, customer exposure, attribution, or guaranteed detectability. Local endpoint telemetry, EDR visibility, Windows versions, and legitimate TxF usage must be assessed in the environment.

Official MITRE ATT&CK definition

Process Doppelgänging

Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.

Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. [1] To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. [2] To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. [3]

Although deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. [4]

Adversaries may abuse TxF to a perform a file-less variation of Process Injection. Similar to Process Hollowing, process doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelgänging's use of TxF also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext. [4]

Process Doppelgänging is implemented in 4 steps [4]:

* Transact – Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction. * Load – Create a shared section of memory and load the malicious executable. * Rollback – Undo changes to original executable, effectively removing malicious code from the file system. * Animate – Create a process from the tainted section of memory and initiate execution.

This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelgänging may evade detection from security products since the execution is masked under a legitimate process.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1055 Process Injection This object subtechnique of Process Injection.
Enterprise T1186 Process Doppelgänging Process Doppelgänging revoked by this object.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0077: Leafminer

Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. [1]

Malware Enterprise

S0534: Bazar

Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Bazar reportedly has ties to TrickBot campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.[1]

Windows
Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1055: Process Injection Enterprise uses · Malware S0242: SynAck Enterprise mitigates · Mitigation M1040: Behavior Prevention on Endpoint Enterprise uses · Malware S0534: Bazar Enterprise revoked by · Technique T1186: Process Doppelgänging Enterprise uses · Group G0077: Leafminer Enterprise detects · Detection Strategy DET0544: Detection Strategy for Process Doppelgänging on Windows Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1040: Behavior Prevention on Endpoint

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack. This mitigation can be implemented through the following measures:

Suspicious Process Behavior:

- Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts. - Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action.

Unauthorized File Access:

- Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization. - Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it.

Abnormal API Calls:

- Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities. - Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like `OpenProcess` and `WriteProcessMemory` and terminates the offending process.

Exploit Prevention:

- Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access. - Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
108a24a3a5c66df0...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 108a24a3a5c6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Microsoft TxF

    Microsoft. (n.d.). Transactional NTFS (TxF). Retrieved December 20, 2017.

    Open source URL
  2. [2]
    Microsoft Basic TxF Concepts

    Microsoft. (n.d.). Basic TxF Concepts. Retrieved December 20, 2017.

    Open source URL
  3. [3]
    Microsoft Where to use TxF

    Microsoft. (n.d.). When to Use Transactional NTFS. Retrieved December 20, 2017.

    Open source URL
  4. [4]
    BlackHat Process Doppelgänging Dec 2017

    Liberman, T. & Kogan, E. (2017, December 7). Lost in Transaction: Process Doppelgänging. Retrieved December 20, 2017.

    Open source URL
  5. [5]
    mitre-attack T1055.013
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use