Execution Of Non-Existing File via Process Ghosting
This brief details the Process Ghosting technique, an advanced evasion method leveraged by attackers to create and execute processes from files that no longer exist on disk, challenging traditional endpoint detection solutions and hindering forensic investigations.
This brief details the Process Ghosting technique, an advanced evasion method leveraged by attackers to create and execute processes from files that no longer exist on disk. First documented in late 2021 by security researchers, Process Ghosting capitalizes on specific Windows kernel mechanics and Native API calls to bypass traditional endpoint detection and response (EDR) solutions that rely on disk-based file integrity checks for process attribution. Attackers employ this method to obfuscate their activities, making it challenging for defenders to trace the origin of a malicious process, attribute it to a specific executable, and ultimately hinder forensic investigations. This technique is a significant concern for security teams as it allows malicious code to run with reduced detectability and can be combined with other techniques like process injection (T1055) or privilege escalation (TA0004).
Attack Chain
- Attacker initiates a process creation using Windows Native APIs, specifically
NtCreateProcessExandNtCreateSection, preparing to map a file into memory. - A transactional file is created on disk (e.g., using
CreateFileTransacted), containing the malicious payload, and then mapped into a new section object. - The transaction for the file is then rolled back (
RollbackTransaction), causing the original malicious file to be immediately removed from disk. - Despite the file's deletion from disk, its content remains mapped in the process's memory section, appearing as a ghost image.
- The attacker can optionally use
NtWriteVirtualMemoryto further modify or inject code into the mapped memory region, potentially escalating privileges or modifying behavior. - The process execution is then started (e.g., via
NtCreateThreadEx), running the malicious code directly from memory. - Logging systems, attempting to record the process's original image path (like Sysmon Event ID 1), find no corresponding file on disk, leading to a null or non-absolute path in process creation logs, effectively evading disk-based file integrity checks.
Impact
Successful deployment of Process Ghosting significantly degrades an organization's ability to detect and respond to malicious activity. By executing from non-existent files, attackers can bypass security controls that scan or monitor executable files on disk, such as antivirus and some EDR capabilities. This technique complicates incident response, making forensic analysis more difficult as the original malicious binary is not available for collection and attribution. If undetected, this can lead to prolonged attacker presence, data exfiltration, system compromise, or further deployment of ransomware, increasing recovery costs and potential regulatory fines, potentially affecting any sector.
Recommendation
- Enable Sysmon process-creation logging (Event ID 1) with
ImageandCommandLinefields to capture the necessary telemetry for the rule "Execution Of Non-Existing File". - Deploy the "Execution Of Non-Existing File" Sigma rule in this brief to your SIEM and tune it for your environment to detect
Imagepaths that arenullor non-absolute. - Review logs for processes with null or non-absolute paths in the
Imagefield, specifically looking forMemCompression,Registry,System,vmmem, orvmmemWSLprocesses with non-absolute paths which may indicate this evasion technique.
Detection coverage 1
Execution Of Non-Existing File
highDetects process creation events where the Image field lacks an absolute path, which occurs when the backing file no longer exists on disk at the time of logging — commonly caused by Process Ghosting or other unorthodox process creation techniques, often for evasion.
Detection queries are available on the platform. Get full rules →