{"id":117143,"date":"2022-06-30T06:30:00","date_gmt":"2022-06-30T13:30:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=117143"},"modified":"2023-05-26T14:29:18","modified_gmt":"2023-05-26T21:29:18","slug":"using-process-creation-properties-to-catch-evasion-techniques","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/","title":{"rendered":"Using process creation properties to catch evasion techniques"},"content":{"rendered":"\n<p>We developed a robust detection method in <a href=\"https:\/\/www.microsoft.com\/microsoft-365\/security\/endpoint-defender\">Microsoft Defender for Endpoint<\/a> that can catch known and unknown variations of a process execution class used by attackers to evade detection. This class of stealthy execution techniques breaks some assumptions made by security products and enables attackers to escape antimalware scans by circumventing process creation callbacks using a legacy process creation syscall. Publicly known variations of this class are process doppelganging, process herpaderping, and process ghosting.<\/p>\n\n\n\n<p>Evasion techniques used by attackers often involve running malware within the context of a trusted process or hiding code from filesystem and memory scanners. More sophisticated attackers even carefully choose their process host so that their actions are run by a process that often performs these actions for benign reasons. For example, a browser process communicating with the internet seems completely normal, while an instance of <em>cmd.exe<\/em> doing the same sticks out like a sore thumb. This class of stealthy execution techniques, however, allows malware to create its own malicious process and prevent antimalware engines from detecting it.<\/p>\n\n\n\n<p>This blog post presents our detailed analysis of how this process execution class works and how it takes advantage of Windows functionalities to evade detection. It also presents a peek into the research, design, and engineering concerns that go into the development of a detection method aiming to be as robust and future-proof as possible.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Common classes of stealthy process execution<\/h2>\n\n\n\n<p>On Windows systems, most methods attackers use to run code within another process fall within two classes: <em>process injection<\/em> and <em>process hollowing<\/em>. These classes allow attackers to run their code within another process without explicitly creating it from an executable, or making it load a dynamic link library (DLL). &nbsp;Similar classes of techniques are often also called process injection, but this term will be used in a more specific definition for clarity.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Process injection<\/h3>\n\n\n\n<p>Process injection, the widest and most common class, consists of different techniques that introduce attacker-supplied executable memory into an already running process. Techniques in this class consist of two main parts:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Write primitive:<\/strong> A Windows API function, or a set of APIs, used to introduce malware into the target process.<\/li><li><strong>Execution primitive:<\/strong> A Windows API method to redirect the execution of the process to the code provided by the attacker.<\/li><\/ul>\n\n\n\n<p>An example of a classic process injection flow is malware using the <em>VirtualAllocEx<\/em> API to allocate a buffer within a target process, <em>WriteProcessMemory<\/em> to fill that buffer with the contents of a malware module, and <em>CreateRemoteThread<\/em> to initiate a new thread in the target process, running the previously injected code.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Process hollowing<\/h3>\n\n\n\n<p>In process hollowing, instead of abusing an already running process, an attacker might start a new process in a suspended state and use a write primitive to introduce their malware module before the process starts running. By redirecting the entry point of the process before unsuspending, the attacker may run their code without using an explicit execution primitive.<\/p>\n\n\n\n<p>Variants (and sometimes combinations) of both classes exist and differ from each other mostly by the&nbsp; APIs being used. The APIs vary because a different function used to achieve the goal of one of the steps may not go through the numerous points at which an endpoint protection product intercepts such behavior, which can break detection logic.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">New stealth techniques<\/h2>\n\n\n\n<p>In the past few years, stealth techniques from a process execution class have emerged that don\u2019t strictly fit into any of the previously mentioned classes. In this class, instead of modifying the memory of an already created (but perhaps not yet executing) process, a new process is created from the image section of a malware. By the time a security product is ready to scan the file, the malware bits aren\u2019t there anymore, effectively pulling the rug from under antimalware scanners. This technique requires defenders to use a different detection method to catch attacks that use it. As of today, the following variations of this class are known publicly as the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Process doppelganging<\/strong><sup>1<\/sup><strong>:<\/strong> Abusing transactional NTFS features to create a volatile version of an executable file used for process creation, with the file never touching the disk.<\/li><li><strong>Process herpaderping<\/strong><sup>2<\/sup><strong>:<\/strong> Utilizing a writable handle to an executable file to overwrite the malware bits on disk before antimalware services can scan the executable, but after a process has already been created from the malicious version.<\/li><li><strong>Process ghosting<\/strong><sup>3<\/sup><strong>:<\/strong> Abusing a handle with delete permissions to the process executable to delete it before it has a chance to be scanned.<\/li><\/ul>\n\n\n\n<p>This process execution class, including the variations mentioned above, takes advantage of the way the following functionalities in the operating system are designed to evade detection by security products:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Antimalware engines don\u2019t scan files after every single modification.<\/li><li>Process creation callbacks, the operating system functionality that allows antimalware engines to scan a process when it\u2019s created, is invoked only when the first thread is inserted into a process.<\/li><li><em>NtCreateProcessEx<\/em>, a legacy process creation syscall, allows the creation of a process without populating it with any thread.<\/li><\/ul>\n\n\n\n<p>The following sections explain in more detail how these functionalities are abused.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">When are files scanned?<\/h3>\n\n\n\n<p>A key feature of this process execution class is circumventing a file scan. Ideally, files are scanned whenever they\u2019re modified. Otherwise, an attacker could simply modify an existing file into a malicious one, use it to create a process, and then either revert the file or delete it. So, why aren\u2019t files scanned on every file change?<\/p>\n\n\n\n<p>The answer lies in performance concerns. Consider a scenario in which a 1MB file is opened, and it\u2019s overwritten by calling an API like <a href=\"https:\/\/docs.microsoft.com\/windows\/win32\/api\/fileapi\/nf-fileapi-writefile\"><em>WriteFile<\/em><\/a> for every byte that needs to be overwritten. While only 1MB would be written to disk, the file would have to be scanned one million times, resulting in ~1 terabyte of data being scanned!<\/p>\n\n\n\n<p>While the example is a good way to assure no detectably malicious content is written to disk, the amount of computing power it will use up makes it an unviable solution. Even a caching solution would simply shift the high resource usage to memory, as a product would need to keep information about the content of every single open file on the machine to be useful.<\/p>\n\n\n\n<p>Therefore, the most common design for file scanning engines ignores the various transient states of the file content and initiates a scan whenever the handle to the file is closed. &nbsp;This is an optimal signal that an application is done modifying a file for now, and that a scan would be meaningful. To determine what the file is about to execute as a process, the antimalware engine scans the file\u2019s content at the time of process creation through a process creation callback.<\/p>\n\n\n\n<p>Process creation callbacks in the kernel, such as those provided by the <a href=\"https:\/\/docs.microsoft.com\/windows-hardware\/drivers\/ddi\/ntddk\/nf-ntddk-pssetcreateprocessnotifyroutineex\"><em>PsSetCreateProcessNotifyRoutineEx<\/em><\/a> API, is the functionality in the operating system that allows antimalware engines to inspect a process while it\u2019s being created. It can intercept the creation of a process and perform a scan on the relevant executable, all before the process runs.<\/p>\n\n\n\n<p>Process creation notification isn\u2019t invoked right when a process creation API is called, but rather when the first thread is inserted into a process. But since <em>NtCreateUserProcess<\/em>, the syscall used by all common high-level APIs to create a process, is designed to do a lot of the work required to create a process in the kernel, the insertion of the initial thread into the created process happens within the context of the syscall itself. This means that the callback launches while the process is still being created, before user mode has a chance to do anything.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"117\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-1-process-creation-callbacks-being-invoked-from-ntcreateuserprocess.png\" alt=\"A screenshot of code with a list of process creation callbacks invoked from the syscall NtCreateUserProcess.\" class=\"wp-image-117149\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-1-process-creation-callbacks-being-invoked-from-ntcreateuserprocess.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-1-process-creation-callbacks-being-invoked-from-ntcreateuserprocess-300x44.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-1-process-creation-callbacks-being-invoked-from-ntcreateuserprocess-768x112.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption>Figure 1. Process creation callbacks being invoked from NtCreateUserProcess<\/figcaption><\/figure>\n\n\n\n<p>The call stack indicates that in this scenario, <em>PspCallProcessNotifyRoutines<\/em>, the function responsible for invoking process creation callbacks, is called from <em>PspInsert<\/em><em>thread<\/em> during the insertion of the initial thread into the process. It also indicates that the subsequent process creation callbacks are all called from within <em>NtCreateUserProcess<\/em>, and that they both finish executing before the syscall returns. This enables the antimalware to scan the process for malware activity as it\u2019s created. This works if the process is created using <em>NtCreateUserProcess<\/em>. However, as researchers have found, there are other ways to create a process apart from this syscall.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How are processes created?&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/h3>\n\n\n\n<p>The syscall <em>NtCreateUserProcess<\/em> has only been available since the release of Windows Vista. Processes created by the <em>CreateProcess<\/em> API or any API using the <em>NtCreateUserProcess<\/em> syscall only provide the path to the executable. Meanwhile, the kernel opens the file without any share access that could allow modification (no SHARE_WRITE\/SHARE_DELETE), creates an image section, and returns to user mode with the process pretty much ready to run (most legitimate Windows processes would require additional work to be done in user mode to operate correctly, but the NtCreateUserProcess syscall does the minimum work needed for a process to execute some code). This means that an attacker doesn\u2019t have the time or the capability to modify an executable file after calling <em>NtCreateUserProcess<\/em>, but only before it\u2019s scanned.<\/p>\n\n\n\n<p>Versions of the NT kernel prior to the release of Windows Vista used a different syscall called <em>NtCreateProcessEx<\/em>. This function doesn\u2019t adhere to the principle of doing a lot of the work in the kernel and in fact delegates a lot of the work normally associated with process creation on modern Windows platforms to user mode.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"257\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-2-the-function-signature-of-NtCreateProcessEx-note-the-absence-of-a-path-argument-and-the-presence-of-sectionhandle.png\" alt=\"Screenshot of code of the function signature of the syscall NtCreateProcessEx. Unlike NtCreateUserProcess, this syscall does not have contain code that receives a path argument. \" class=\"wp-image-117152\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-2-the-function-signature-of-NtCreateProcessEx-note-the-absence-of-a-path-argument-and-the-presence-of-sectionhandle.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-2-the-function-signature-of-NtCreateProcessEx-note-the-absence-of-a-path-argument-and-the-presence-of-sectionhandle-300x96.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-2-the-function-signature-of-NtCreateProcessEx-note-the-absence-of-a-path-argument-and-the-presence-of-sectionhandle-768x247.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption>Figure 2. The function signature of NtCreateProcessEx. Note the absence of a path argument and the presence of SectionHandle.<\/figcaption><\/figure>\n\n\n\n<p>One difference between the two is that <em>NtCreateProcessEx<\/em> doesn\u2019t receive a path to the process executable as an argument, as is the case with <em>NtCreateUserProcess<\/em>. &nbsp;<em>NtCreateProcessEx<\/em> expects the application to open the file on its own and create an <a href=\"https:\/\/docs.microsoft.com\/windows-hardware\/drivers\/ddi\/wdm\/nf-wdm-zwcreatesection\">image section<\/a> from that file, which will be used as the main image section of the process, and the handle to which will be passed to <em>NtCreateProcessEx<\/em>.<\/p>\n\n\n\n<p>Also, unlike <em>NtCreateUserProcess<\/em>, <em>NtCreateProcessEx<\/em> &nbsp;creates a process object without populating the process with any threads, and the user application needs to explicitly insert the initial thread into the process using an API like <em>NtCreateThread<\/em>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"239\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-3-in-this-callstack-the-invocation-of-pspcallprocessnotifyroutine-and-pspinsert-thread-happens-from-within-ntcreatethreadex-not-from-within-a-proc.png\" alt=\"A screenshot of a callstack with the invocation of PspCallProcessNotifyRoutine and PspInsertThread. It is observed that the invocation of both happens from within NtCreateThreadEx. \" class=\"wp-image-117155\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-3-in-this-callstack-the-invocation-of-pspcallprocessnotifyroutine-and-pspinsert-thread-happens-from-within-ntcreatethreadex-not-from-within-a-proc.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-3-in-this-callstack-the-invocation-of-pspcallprocessnotifyroutine-and-pspinsert-thread-happens-from-within-ntcreatethreadex-not-from-within-a-proc-300x90.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-3-in-this-callstack-the-invocation-of-pspcallprocessnotifyroutine-and-pspinsert-thread-happens-from-within-ntcreatethreadex-not-from-within-a-proc-768x229.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption>Figure 3. In this callstack, the invocation of PspCallProcessNotifyRoutine and PspInsertThread happens from within NtCreateThreadEx, not from within a process creation syscall.<\/figcaption><\/figure>\n\n\n\n<p>Combining this information with what we know about process creation callbacks allows us to come up with a generic flow for this stealthy process creation technique:<\/p>\n\n\n\n<ol class=\"wp-block-list\" type=\"1\"><li>The attacker opens the malware file and brings it into a transient modifiable state (writable without closing a handle, delete pending or an uncommitted transaction, and some other unpublished ones) while having malware content. The attacker doesn\u2019t close the file yet.<\/li><li>The attacker creates an image section from the file handle using <em>NtCreateSection(Ex)<\/em>.<\/li><li>The attacker creates a process using the image section handle as input.<\/li><li>The attacker reverts the file\u2019s transient state to a benign state (the file is deleted or overwritten, or a transaction is rolled back), and the handle is closed. At this point, the bits of the malware still exist in memory as the image section object is still there, but there is no trace of the malware content on the disk.<\/li><li>The attacker inserts the initial thread into the process, and only then will the process creation notification callback for that process be launched. At that point, there is no malware content left to scan.<\/li><li>The attacker now runs the malware process without its backing file ever being scanned.<\/li><\/ol>\n\n\n\n<p>In this generalized flow, a security product should be able to detect any variation of the technique if it can recognize that the process was created using the legacy <em>NtCreateProcessEx<\/em> syscall, which allows an adversary to run the process from a file in a transient state.<\/p>\n\n\n\n<p>Of course, one could circumvent the need for <em>NtCreateProcessEx<\/em> by performing a similar trick with loading DLLs. However, in this scenario, the adversary can either load a new DLL into a process they already have full code execution capabilities without changing its identity, or remotely place the offending DLL into another process, performing what is essentially process injection. In both cases, the technique\u2019s effectiveness as an evasion method is greatly diminished.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Detecting legacy process creation<\/h2>\n\n\n\n<p>The first anomaly to recognize to detect attacks using this technique is to find out whether a process was created using the legacy <em>NtCreateProcessEx<\/em> syscall.<\/p>\n\n\n\n<p>The simplest way to do so would be to utilize user-mode hooking on the appropriate function in the NTDLL library. However, this approach would be easy to bypass, as it\u2019s assumed that the adversary has arbitrary execution capabilities in the process calling the syscall. This means they would be able to unhook any functions intercepted by a security product, or simply directly call the syscall from their own assembly code. Even if the security product was to traverse the user-mode call stack from a process creation callback and check the return address against known values, the product would still be subject to evasion since an attacker could employ some creative pushes and jumps in assembly code to construct a spoofed user-mode call stack to their liking.<\/p>\n\n\n\n<p>To create a robust detection for this behavior, information that can\u2019t be modified or spoofed by a user-mode adversary should be used. A good example of this is a Windows file system concept called <a href=\"https:\/\/docs.microsoft.com\/windows-hardware\/drivers\/ifs\/introduction-to-extra-create-parameters\">extra create parameters<\/a> (ECPs).<\/p>\n\n\n\n<p>ECPs are concepts that allow the kernel or a driver to attach some key-value information to a file create\/open operation. The idea is very similar to extended file attributes, but instead of applying to an entire file on disk, ECPs are a transient property related to a specific instance of an open file. This mechanism allows the operating system and drivers to respond to a file being opened under some special circumstances.<\/p>\n\n\n\n<p>An example of such special circumstances is a file being opened via Server Message Block (SMB). When this happens, an <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-hardware\/drivers\/ddi\/ntifs\/ns-ntifs-_srv_open_ecp_context\"><em>SRV_OPEN_ECP_CONTEXT<\/em><\/a> structure is added to the <a href=\"https:\/\/docs.microsoft.com\/windows-hardware\/drivers\/kernel\/end-user-i-o-requests-and-file-objects\"><em>IRP_MJ_CREATE<\/em><\/a><em> IRP<\/em> with <em>GUID_ECP_SRV_OPEN<\/em> as a key.<\/p>\n\n\n\n<p>This ECP context contains information on the socket used for the communication with the SMB client, the name of the share which has been accessed, and some oplock information. A driver would then be able to use this information to appropriately handle the open operation, which might need some special treatment since the operation happened remotely. &nbsp;<\/p>\n\n\n\n<p>Interestingly, an exported, documented function named <a href=\"https:\/\/docs.microsoft.com\/windows-hardware\/drivers\/ddi\/fltkernel\/nf-fltkernel-fltisecpfromusermode\"><em>FsRtlIsEcpFromUserMode<\/em><\/a> exists to determine whether an ECP originated in user mode or kernel mode. This raises the concern that forgetting to use this function in a driver or the OS would cause potential security issues, as a user mode adversary could spoof an ECP. That isn\u2019t the case, though, as there is no functionality in the OS which allows a user to directly supply any ECP from user mode. The function itself checks whether a specific flag is set in the opaque ECP header structure, but there exists no code in the OS which can modify this flag.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Using ECPs for process creation API recognition<\/h3>\n\n\n\n<p>Starting with Windows 10, a very interesting ECP has been added to the operating system whenever a new process is created using <em>NtCreateUserProcess<\/em>. The <em>GUID_ECP_CREATE_USER_PROCESS<\/em> ECP and its related <em>CREATE_USER_PROCESS_ECP_CONTEXT<\/em> context are applied to the <em>IRP_MJ_CREATE<\/em> operation when the Windows kernel opens the process executable file. This ECP contains the token of the process to be created. In fact, the function used to open the executable path was changed from <em>ZwOpenFile<\/em> to <em>IoCreateFileEx<\/em> specifically to support ECPs on this operation.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"221\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-4-the-create-user-process-ecp-context.png\" alt=\"A screenshot of code showing the CREATE_USER_PROCESS_ECP_CONTEXT. \" class=\"wp-image-117158\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-4-the-create-user-process-ecp-context.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-4-the-create-user-process-ecp-context-300x83.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-4-the-create-user-process-ecp-context-768x212.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption>Figure 4. The CREATE_USER_PROCESS_ECP_CONTEXT<\/figcaption><\/figure>\n\n\n\n<p>On the other hand, as covered earlier, <em>NtCreateProcessEx<\/em> doesn\u2019t open the process executable on its own but instead relies on the user to supply a section handle created from a file opened by the user themselves. Seeing as there is no way for the user to set the process creation ECP on their own handle, any process created using <em>NtCreateProcessEx<\/em> would be missing this ECP on the <em>IRP_MJ_CREATE<\/em> for its main image. Some cases exist in which the ECP wouldn\u2019t be present even when the legacy API wasn\u2019t used, but those can still be recognized. Barring those cases, the existence of the <em>CREATE_USER_PROCESS<\/em> ECP in the <em>IRP_MJ_CREATE<\/em> operation of the file object related to the main image of the process can now be used to precisely differentiate between processes created by <em>NtCreateUserProcess<\/em> and those created by <em>NtCreateProcessEx<\/em>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Detecting processes created from files in a transient state<\/h2>\n\n\n\n<p>Since it\u2019s now possible to check when the legacy process creation API has been used, the next step would be to check if the usage of the legacy process creation API was used to abuse the time-of-check-time-of-use (TOCTOU) issue involving process creation callbacks. This means that the executable image used to create the process has been opened and used in a transient state, which would already be rolled back when it\u2019s to be scanned by an antimalware engine. To identify if TOCTOU was abused, it is important to examine the image section of the main executable of the process.<\/p>\n\n\n\n<p>Windows loads executable images into memory and shares their memory between processes using memory sections (also called <a href=\"https:\/\/docs.microsoft.com\/dotnet\/standard\/io\/memory-mapped-files\">memory-mapped files<\/a>). Each <em>FILE_OBJECT<\/em> structure for an open file contains a member called <em>SectionObjectPointers<\/em>, which contains pointers to the data and image section control areas relevant to the file, depending on whether if it has been mapped as a data file or an executable. The bits described by such a section may be backed either by a file on disk or by the page file (in which case the bits of the section won\u2019t persist on disk). This property determines whether the mapped section can be flushed and recovered from a file or disk, or simply paged out.<\/p>\n\n\n\n<p>However, an interesting thing happens when the connection between an image section and its backing file is severed. This can happen if, for example, the file is located on a remote machine or some removable storage, <em>Copy-on-Write<\/em> has been triggered, or most importantly, if the file has been somehow modified after the section has been created or could be modified in the future. During such cases, the image section becomes backed by the page file instead of the original file from which it was created.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"563\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-5-the-control-area-of-a-section-breaking-coherency-with-disk-note-the-writableuserreference-member-being-set.png\" alt=\"A screenshot of the resulting code when the connection between an image section and its backing file is severed. A line of code with the WritableUserReferences member being set is highlighted. \" class=\"wp-image-117161\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-5-the-control-area-of-a-section-breaking-coherency-with-disk-note-the-writableuserreference-member-being-set.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-5-the-control-area-of-a-section-breaking-coherency-with-disk-note-the-writableuserreference-member-being-set-300x211.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-5-the-control-area-of-a-section-breaking-coherency-with-disk-note-the-writableuserreference-member-being-set-768x540.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption>Figure 5. The control area of a section breaking coherency with disk. Note the WritableUserReferences member being set.<\/figcaption><\/figure>\n\n\n\n<p>The <a href=\"https:\/\/docs.microsoft.com\/windows-hardware\/drivers\/ddi\/ntifs\/nf-ntifs-mmdoesfilehaveuserwritablereferences\"><em>MmDoesFileHaveUserWritableReferences<\/em><\/a> function provides the caller with the number of writable (or, more correctly, modifiable) references to the file object of a section and is used by the kernel transaction manager to preserve the atomicity of transactions. Otherwise, a file can be written, deleted, or simply gone when a transaction is to be committed. This function can be used for detection because a non-zero return value means that section coherency has been broken, and the logic switching the backing of the section to the page file has been triggered. This can help determine that the file is in one of the same transient states needed to abuse TOCTOU and evade detection.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Detection through Microsoft Defender for Endpoint<\/h2>\n\n\n\n<p>The two primitives discussed earlier can now be combined into detection logic. First, the absence of the <em>GUID_ECP_CREATE_USER_PROCESS<\/em> ECP will verify if the process was created using the legacy API <em>NtCreateProcessEx<\/em>. Then, the function <em>MmDoesFileHaveUserWritableReferences<\/em> checks if the file\u2019s image section is backed by the page file, confirming that the process was created while the file is in a transient state. Meeting both conditions can determine that TOCTOU has been abused, whether by any of the published techniques, or a variation of it that uses similar concepts but abuses a functionality built into a driver to create a similar effect.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.microsoft.com\/microsoft-365\/security\/endpoint-defender\">Microsoft Defender for Endpoint<\/a> can detect each of the known techniques in this class of stealthy process execution and gives out a specific alert for variations of process ghosting, herpaderping, and doppelganging found in the wild. Apart from the specific alerts for each variation, detections exist for the generalized flow and any abuse of the legacy process creation API, including unpublished variations.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"518\" height=\"405\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-6-microsoft-defender-for-endpoint-detections-for-variations-of-process-ghosting-herpaderping-and-doppelganging.png\" alt=\"A sample screenshot of the notifications from Microsoft Defender for Endpoint for detections related to process ghosting, herpaderping, and doppelganging. \" class=\"wp-image-117164\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-6-microsoft-defender-for-endpoint-detections-for-variations-of-process-ghosting-herpaderping-and-doppelganging.png 518w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/fig-6-microsoft-defender-for-endpoint-detections-for-variations-of-process-ghosting-herpaderping-and-doppelganging-300x235.png 300w\" sizes=\"auto, (max-width: 518px) 100vw, 518px\" \/><figcaption>Figure 6. Microsoft Defender for Endpoint detections for variations of process ghosting, herpaderping, and doppelganging.<\/figcaption><\/figure>\n\n\n\n<p>This blog post shares Windows internals knowledge and showcases a new detection method in Microsoft Defender for Endpoint that can help prevent detection evasion. Since data and signals from Microsoft Defender for Endpoint also feed into <a href=\"https:\/\/www.microsoft.com\/security\/business\/threat-protection\/microsoft-365-defender\">Microsoft 365 Defender<\/a>, this new detection method further enriches our protection technologies, providing customers a comprehensive and coordinated threat defense against threats.<\/p>\n\n\n\n<p>The stealth execution techniques discussed further prove that the threat landscape is constantly evolving, and that attackers will always look for new avenues to evade detection. This highlights the importance of continuous research on potential attack vectors, as well as future-proof solutions. We hope that the principles presented in this blog post can be used by other researchers in developing similar solutions.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><em><strong>Philip Tsukerman<\/strong>, <strong>Amir Kutcher<\/strong>, and <strong>Tomer Cabouly<\/strong><br>Microsoft 365 Defender Research Team<\/em><\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><sup>1<\/sup> https:\/\/www.blackhat.com\/docs\/eu-17\/materials\/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf<\/p>\n\n\n\n<p><sup>2<\/sup> https:\/\/jxy-s.github.io\/herpaderping\/<\/p>\n\n\n\n<p><sup>3<\/sup> https:\/\/www.elastic.co\/blog\/process-ghosting-a-new-executable-image-tampering-attack<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We developed a robust detection method in Microsoft Defender for Endpoint that can catch known and unknown variations of a process execution class used by attackers to evade detection. This class of stealthy execution techniques include process doppelganging, process herpadering, and process ghosting.<\/p>\n","protected":false},"author":68,"featured_media":117170,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ms_queue_id":[],"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","footnotes":""},"content-type":[3663],"topic":[3687],"products":[3690,3694],"threat-intelligence":[3727],"tags":[],"coauthors":[3380],"class_list":["post-117143","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-research","topic-threat-intelligence","products-microsoft-defender","products-microsoft-defender-for-endpoint","threat-intelligence-attacker-techniques-tools-and-infrastructure"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Using process creation properties to catch evasion techniques | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Using process creation properties to catch evasion techniques | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"We developed a robust detection method in Microsoft Defender for Endpoint that can catch known and unknown variations of a process execution class used by attackers to evade detection. This class of stealthy execution techniques include process doppelganging, process herpadering, and process ghosting.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-06-30T13:30:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-26T21:29:18+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/Featured-image-CLO20b_Sylvie_office_night_001.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"800\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Microsoft Threat Intelligence\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Threat Intelligence\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Threat Intelligence\"}],\"headline\":\"Using process creation properties to catch evasion techniques\",\"datePublished\":\"2022-06-30T13:30:00+00:00\",\"dateModified\":\"2023-05-26T21:29:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/\"},\"wordCount\":3625,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/Featured-image-CLO20b_Sylvie_office_night_001.jpg\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/\",\"name\":\"Using process creation properties to catch evasion techniques | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/Featured-image-CLO20b_Sylvie_office_night_001.jpg\",\"datePublished\":\"2022-06-30T13:30:00+00:00\",\"dateModified\":\"2023-05-26T21:29:18+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/Featured-image-CLO20b_Sylvie_office_night_001.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/Featured-image-CLO20b_Sylvie_office_night_001.jpg\",\"width\":1200,\"height\":800,\"caption\":\"Developer with facing monitors with her back to the camera\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Using process creation properties to catch evasion techniques\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Using process creation properties to catch evasion techniques | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/","og_locale":"en_US","og_type":"article","og_title":"Using process creation properties to catch evasion techniques | Microsoft Security Blog","og_description":"We developed a robust detection method in Microsoft Defender for Endpoint that can catch known and unknown variations of a process execution class used by attackers to evade detection. This class of stealthy execution techniques include process doppelganging, process herpadering, and process ghosting.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/","og_site_name":"Microsoft Security Blog","article_published_time":"2022-06-30T13:30:00+00:00","article_modified_time":"2023-05-26T21:29:18+00:00","og_image":[{"width":1200,"height":800,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/Featured-image-CLO20b_Sylvie_office_night_001.jpg","type":"image\/jpeg"}],"author":"Microsoft Threat Intelligence","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Microsoft Threat Intelligence","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/","@type":"Person","@name":"Microsoft Threat Intelligence"}],"headline":"Using process creation properties to catch evasion techniques","datePublished":"2022-06-30T13:30:00+00:00","dateModified":"2023-05-26T21:29:18+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/"},"wordCount":3625,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/Featured-image-CLO20b_Sylvie_office_night_001.jpg","inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/","name":"Using process creation properties to catch evasion techniques | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/Featured-image-CLO20b_Sylvie_office_night_001.jpg","datePublished":"2022-06-30T13:30:00+00:00","dateModified":"2023-05-26T21:29:18+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/Featured-image-CLO20b_Sylvie_office_night_001.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/06\/Featured-image-CLO20b_Sylvie_office_night_001.jpg","width":1200,"height":800,"caption":"Developer with facing monitors with her back to the camera"},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/06\/30\/using-process-creation-properties-to-catch-evasion-techniques\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Using process creation properties to catch evasion techniques"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/117143","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=117143"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/117143\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/117170"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=117143"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=117143"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=117143"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=117143"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=117143"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=117143"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=117143"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}