What you need to know about Process Ghosting, a new executable image tampering attack

Process Ghosting is a newly identified executable image tampering attack that exploits a timing gap in Windows' process creation notifications to evade security products. This technique allows attackers to write malware to disk in a delete-pending state, map it to an image section, and then delete the file while still executing it as a regular file. Unlike previous methods such as Process Doppelgänging and Process Herpaderping, Process Ghosting does not rely on code injection, process hollowing, or Transactional NTFS. It manipulates the process creation sequence to bypass security scans by deleting the file before antivirus software can examine it. Demonstrated to circumvent common security measures, Process Ghosting poses a challenge to defenders who rely on traditional malware detection strategies. Elastic Security has developed methods to detect such tampering techniques by monitoring for abnormalities during process creation. Despite its potential to bypass existing defenses, Microsoft's response indicates that this vulnerability does not meet their criteria for immediate servicing.