You must have seen one of those movies where a group of thieves want to rob a high security building. One of the steps they perform, as part of their operations security, is manipulating the CCTV feed to ghost themselves. They play a pre-recorded feed of 15-30 seconds to make it look like no one is there when in reality they are sneaking in. Post [successful] robbery, they remove their fix and the feed goes back to being live again. The security personnel, monitoring the CCTV feed, never get alerted to thieves’ entry and remain under the false impression that everything is fine.

For the purpose of this write-up, let’s define ghosting as:

Making actual actions seem like they were performed by an entity which does not exist in reality. 

Using the above definition, Process Ghosting can be defined as creating a process from an executable which doesn’t exist. It seems supernatural but it’s not, as explained by security researchers from Elastic Security.

As per Elastic’s research, Process Ghosting attack involves the following steps:

1. Create a file

2. Put the file into a delete-pending state using NtSetInformationFile(FileDispositionInformation). Note: Attempting to use FILE_DELETE_ON_CLOSE instead will not delete the file.

3. Write the payload executable to the file. The content isn’t persisted because the file is already delete-pending. The delete-pending state also blocks external file-open attempts.

4. Create an image section for the file.

5. Close the delete-pending handle, deleting the file.

6. Create a process using the image section.

7. Assign process arguments and environment variables.

8. Create a thread to execute in the process.

Red Team Notes
- Since the file is put in delete-pending state as soon as it is created, security scanners are not able to obtain the handle to the file for scanning.
- Security scanners often scan files only when they are opened or closed, for performance reasons. In this case, they are unable to scan the file upon open as it is in delete-pending state. They are unable to scan it upon close as the file is deleted as soon at it is closed.
- Security scanners get process creation notification only when first threads are created within a process. So there is a gap between process creation and notification to security scanners.  

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.

If you want to deep dive into the technical details of this technique, refer to the research article published by Elastic Security. It also contains a demo video.

Wra7h published a PoC based on Elastic’s research. In this article, Harshit Rajpal uses this PoC to demo Process Ghosting.