What is Process Reimaging and how it enables red team trade-craft?
Learn what is Process Reimaging and how to use it for red team trade-craft.
Let’s say you want to start a gambling den in your neighborhood. You lease / rent/ buy a small shop, and you quietly launch the den (launching bad.exe as shop.exe). However, you know that authorities will eventually come knocking for inspection (endpoint security scanning). You build a hidden basement under your shop and move the gambling den there (renaming the path of current shop.exe). You then open a nice restaurant as a front (copying good.exe to shop.exe i.e. reimaging). As a result, when the authorities come for inspection, they see your nice and bustling restaurant, and think that there’s nothing illegal going on there. They don’t notice the gambling den in the hidden basement because their system never alerted to them about you building a basement (the flaw in the operating system which enables this technique).
The above technique is known as, Process Reimaging.
Red Team Notes
- Process Reimaging is a technique where a red team operator launches a malicious executable, then replaces (or reimages) the executable file with a non-malicious one, such that the malicious process appears to be mapped to the non-malicious executable, thus bypassing detection.
- This technique takes advantage of the incorrect information reported by certain Windows APIs (such as K32GetProcessImageFileName) that are used for retrieving process file information.
- It does not involve any kind of process injection but requires the malicious file to be written on the disk i.e. it is not fileless.
- It also requires that the anti-virus solution on the target machine not have signatures to ID the malicious executable file. While most open-source and commercial red team tools will have signatures but it is not that difficult to modify the generated payloads or tools (in case of open-source tools) to bypass them.
Follow my journey of 100 Days of Red Team on WhatsApp or Discord.
If you want to dive deep into the technical details of how Process Reimaging works, read the original research published by the McAfee Security team or watch the video below. To make it easier to understand, have a look at this C# PoC developed by Dwight Hohnstein. Dwight has also published a C++ PoC for this technique.
Like most evasion techniques, if you know where and what to look at, they can be detected. Specter Ops team has published a methodology to detect his technique.
This is the recording of the presentation, In NTDLL I Trust Process Reimaging and Endpoint Security Solution Bypass by Eoin Carroll, presented at Hack In Paris 2019.