Skip to main content

What is Process Impersonation – Bitdefender TechZone

2026-07-15

Abstract

Process hollowing, ghosting, herpaderping and bind-link path spoofing make malicious code report a trusted name, path and hash. Ten process impersonation variants and how GravityZone Process Protection, ATC and memory scanning catch each one.

A Windows process carries two identities: a visible identity (its name, path, command line, parent process, and on-disk hash) and a security identity (its access token, the SIDs it holds, its privileges, and its integrity level). The process-impersonation family is the class of techniques attackers use to make those two identities disagree, either to mislead defenders who inspect visible state or to elevate the effective access Windows grants when it acts on the security identity. Ten technique variants form the family, from commodity name spoofing to bind-link path spoofing, the newest member to defeat path-based detection controls. The behavioral signals that catch them reliably have one property in common: they go below the visible identity to kernel state and memory contents.

A tier-1 analyst, working a live incident, pulls up the process tree. One entry looks routine: svchost.exe, parented to services.exe, image path matching C:\Windows\System32\svchost.exe, Authenticode signature on the file on disk valid. The process clears every visible-identity check. Two signals break it open anyway. First, the memory scanner flags that the code in the process’s address space does not match the mapped image: the on-disk executable was unmapped after process creation and replaced with a different payload in memory. Second, the behavioral engine catches an outbound connection to an IP with no baseline for that process, using a protocol svchost.exe has no legitimate reason to initiate. Neither signal relied on the process name, the path, or the hash. The technique responsible is process hollowing, and it works because it attacks the right identity: it leaves the visible identity intact and manipulates execution state below it.

How Windows Creates and Secures a Process

To see how these attacks work, it helps to understand how Windows represents a process internally and how it decides what that process is allowed to do. When the kernel creates a process, it allocates an EPROCESS structure in kernel memory, and that structure is the authoritative record: the kernel uses it for scheduling, handle management, and security integration. Residing alongside it in user memory is a parallel structure, the Process Environment Block (PEB), which holds process parameters, environment variables, loader metadata, and the command line the process was invoked with. The PEB is read by the process itself at runtime and matters little to the kernel once the process exists. That split, between an authoritative kernel record and a user-mode one the process reads for itself, is precisely what most tampering attacks exploit, opening a gap between what user-mode tools read from the PEB, what sits on disk, and what the kernel is actually executing.

Creation is not a single instant but a sequence. Windows validates the image file, opens it, and creates a section object (a kernel structure that maps the file’s contents into memory, giving the file a split existence in which the memory manager and the filesystem can hold different views of it, a divergence several of the tampering techniques below turn on), then allocates and initializes EPROCESS, sets up the address space, maps the image and ntdll.dll, builds the PEB, duplicates standard handles, and only then creates and starts the first thread. A consequence that matters for detection is that the process object appears in the process list before that first thread ever runs, and security software receives its process-creation notification when the thread begins executing, not at the earlier moment the object was allocated. An attacker who alters the relationship between the backing file, the mapped section, and the code that will actually run before the first thread starts can therefore open a disk-versus-memory mismatch that process-create observers never see. The same asymmetry applies to the command line: what a security tool records in its callback is a snapshot of the parameters passed to CreateProcess, but because the PEB is the user-mode source of truth and stays writable after creation, an attacker can rewrite what the child process reports as its own command line so that it no longer matches what the tool captured.

Security decisions rest on something else entirely. Windows does not grant access based on a process’s name or path; it evaluates the security descriptor on the object being accessed against the token carried by the principal requesting it. An access token is a kernel object that describes that principal: its user Security Identifier (SID), its group SIDs, its session ID, its integrity level, and its privileges. LSASS builds the initial token at logon. Every process holds a primary token, but a thread, which is the actual unit of execution inside a process, can either run under that primary token or impersonate a different security context, a feature Windows provides deliberately so that services can act on behalf of the clients they serve.

SIDs are how Windows names users, groups, computers, and integrity levels, and they are what access checks actually compare. When a process opens a securable object, the Security Reference Monitor, the kernel component that enforces access policy, weighs the requested access against the Discretionary Access Control List (DACL) in the object’s security descriptor, matching it against the SIDs in the effective token. The label “Administrator” is never what Windows tests; it tests the SID. Layered on top of the SIDs are privileges, which authorize system-wide sensitive operations rather than access to a particular object and mostly sit present but disabled in a token until something enables them. Two matter most here: SeDebugPrivilege, which lets a process open other processes and threads broadly (a debugger capability attackers repurpose for injection and token theft), and SeImpersonatePrivilege, which lets a thread adopt a client’s security context and sits at the center of impersonation chains and local privilege escalation. Integrity levels add one more layer independent of group membership, so that a lower-integrity process cannot modify a higher-integrity one even when the user SIDs would otherwise allow it. On domain-joined systems the logon token can also carry Active Directory SIDs and group memberships, which is what makes a stolen or impersonated domain token so valuable: it can authenticate to other machines without the plaintext password, turning a single local foothold into a route across the network.

All of this comes down to one observation that organizes the rest of this piece: a process has a visible identity and a security identity, and defenders tend to infer the former while Windows acts on the latter.

What Process Impersonation Actually Is

Process impersonation names a family of attacks united by a shared goal: making malicious code appear to carry a trusted identity. The techniques divide along the visible-versus-security axis introduced above.

Attacks on the visible identity make defender tooling report the wrong name, path, parent, command line, or on-disk hash. Process name spoofing, bind-link path spoofing, and PPID and command-line spoofing belong here.

A closely related group leaves the visible identity untouched and instead changes what actually executes inside the process. Hollowing, doppelganging, ghosting, and herpaderping make the code running in memory diverge from the file and metadata the process presents; thread injection runs attacker code inside a legitimate host, borrowing that host’s security context as well.

Attacks on the security identity make Windows grant the attacker’s code rights it was not issued at logon. Token impersonation and theft belong here.

A stricter taxonomy would treat that middle group as a third identity in its own right: the code residing and executing in the address space, distinct from both the on-disk or metadata view and the security token. The distinction is technically correct and worth keeping in mind, because an entire class of techniques targets it directly. This article keeps to two identities for readability, folding the in-memory state into what defenders must verify rather than simply infer.

The Techniques in Detail

The techniques below take each member of the family in turn, beginning with the crudest and moving toward those that defeat progressively deeper layers of inspection. Each is laid out the same way: how the technique works, the Windows capability that makes it possible, where it has surfaced in real intrusions, and the behavioral signal that reliably catches it.

Process Name Spoofing

Mechanism. The attacker places a malicious executable at a path whose filename matches a trusted system binary, such as svchost.exe placed in a user-writable directory like C:\Users\Public\. A related variant swaps in visually similar names that survive a glance, such as svcnost.exe or svchost .exe with a trailing space.

Why this is possible. Windows places no access control on file names; any user can create a file named svchost.exe, and legitimacy is established by path and signature, not the name alone.

Real-world use. Name spoofing, which MITRE ATT&CK calls Masquerading, is commodity behavior across malware families. MITRE catalogs sourced procedure examples under MITRE ATT&CK, T1036.005 Match Legitimate Name or Location.

Detection angle. Compare the image path against the expected canonical location for the binary name. A svchost.exe running outside C:\Windows\System32\ is an immediately reliable signal. This is the lowest-sophistication technique in the family: any process-monitoring tool catches it at process-create time.

Process Hollowing

Mechanism. The attacker creates a legitimate process in suspended state via CREATE_SUSPENDED, unmaps the legitimate image from the process address space, writes a malicious payload into the now-empty space via VirtualAllocEx and WriteProcessMemory, adjusts the entry point, then resumes the thread. Classic hollowing unmaps and replaces the main image section; related variants such as Process Overwriting replace the mapped image and repoint the entry point without a full unmap (hasherezade, Process Overwriting).

Why this is possible. Windows allows a process with sufficient handle rights to read and write another process’s memory and control thread execution, legitimate capabilities used by debuggers and profilers.

Real-world use. Hijack Loader (also tracked as IDAT Loader), documented extensively in 2023-2024, used process hollowing to execute payloads inside hollowed system processes (The Hacker News, May 2024). The NETWIRE RAT family used it across phishing campaigns analyzed by Mandiant (Mandiant, “Dissecting NETWIRE Phishing Campaigns”, March 2019).

Detection angle. Memory scanning for disk-versus-memory divergence: compare in-memory image bytes against the file on disk. A legitimate process has no reason for these to differ. Anomalous outbound network connections from processes with no such baseline are a companion signal, and the one that surfaced the svchost.exe case in the opening hook.

Process Doppelganging

Mechanism. The attacker opens a Transactional NTFS (TxF) transaction, a Windows feature designed for atomic file operations, writes a malicious payload over a legitimate file within the transaction, creates a section object from the in-transaction version of the file, then rolls back the transaction. The on-disk file reverts to its legitimate contents; the section object continues to reference the transactional page data and is used to create the process.

Why this is possible. The Windows kernel allows a section object to be created from a file modified inside an open TxF transaction; after rollback, the section retains its own reference to the mapped pages, which now back no file on disk.

Real-world use. Doppelganging peaked in the wild in 2017-2018. The canonical cases are SynAck ransomware (Kaspersky, “SynAck Ransomware Uses Process Doppelganging”, May 2018) and the Leafminer APT group. Clean TxF-based doppelganging is rarely observed today: the technique is operationally fragile and has largely been absorbed into hybrid loaders. It is covered here because it introduced the concept of process creation from a transactional file state, which influenced later techniques.

Detection angle. Section object creation from a file modified within an open TxF transaction is anomalous. Virtually no production software does this; the operation itself is the signal.

Process Ghosting

Mechanism. The attacker opens a new file, marks it for deletion (putting it in a delete-pending state), writes a malicious payload to it, creates a section object from the delete-pending file, then closes the file handle. Windows completes the deletion when all handles are closed, but the section object retains a reference to the page data from the now-deleted file. The process runs from a section backed by a file that no longer exists on disk.

Why this is possible. Windows delays deletion until all open file handles and section references are released; the section object can hold a reference to page data from a deleted file, leaving security tools with nothing on disk to scan.

Real-world use. Process Ghosting was disclosed as a research technique by Gabriel Landau at Elastic Security in June 2021, after Microsoft declined to address it (Elastic Security, “Process Ghosting: A New Executable Image Tampering Attack”, June 2021). The CherryLoader downloader used the technique in observed intrusions in January 2024 (The Hacker News, January 2024).

Detection angle. Detect section object creation from a file in delete-pending state. For runtime detection: the absence of any backing file for the process’s image is itself a signal, and memory scanning still applies since the payload code is present in memory even if no on-disk counterpart exists.

Process Herpaderping

Mechanism. The attacker writes a malicious executable to disk, maps it into a process (creating a section object that holds a reference to the pages), then overwrites the on-disk file with a benign or garbage payload before the security product’s file scan executes. The process runs the original malicious content already committed to the section; the on-disk file now appears clean.

Why this is possible. The image loader maps the file into memory as a section object before the first thread starts; the section holds its own page reference, so overwriting the backing file after the mapping is created does not affect what the section executes.

Real-world use. Herpaderping was disclosed as a proof-of-concept by Johnny Shaw in October 2020 (Johnny Shaw, herpaderping proof-of-concept, October 2020) and later incorporated into Metasploit as an evasion module. No in-the-wild malware family uses it exclusively; it is primarily a post-exploitation framework technique.

Detection angle. File-write events targeting an image already mapped as a running process’s executable are anomalous. This write pattern, combined with a subsequent process-create event from the same file path, is a reliable behavioral indicator.

Thread Injection

Mechanism. Rather than creating a new process, the attacker injects code into an existing legitimate process. The standard Win32 sequence: OpenProcess to obtain a handle, VirtualAllocEx to allocate memory in the target, WriteProcessMemory to write the payload, then CreateRemoteThread or NtCreateThreadEx to start execution. Asynchronous Procedure Call (APC) injection queues the payload for execution on a thread already in the target, avoiding the explicit thread-creation call. Thread creation is only one entry in a large family: dozens of process-injection variants exist, many of which never call CreateRemoteThread at all. This section covers the canonical path; for a broader survey see Kotler and Klein, Black Hat USA 2019.

Why this is possible. Windows allows processes with sufficient handle rights (granted by SeDebugPrivilege or explicit handle permissions) to allocate memory and create threads in other processes, capabilities that debuggers, profilers, and security products rely on.

Real-world use. QakBot (also written QBot) used this pattern extensively, injecting into processes such as wermgr.exe, explorer.exe, and mobsync.exe via the VirtualAllocExWriteProcessMemoryCreateRemoteThread sequence, documented by The DFIR Report (The DFIR Report, “Cobalt Strike: A Defender’s Guide”, August 2021) and Splunk (Splunk, “From Macros to No Macros: QakBot Malware Improvements”, December 2022). QakBot’s infrastructure was disrupted in 2023, but the injection pattern it popularized remains representative of current loaders.

Detection angle. Thread creation in a remote process by a parent with no legitimate instrumentation reason is a high-fidelity signal. Pair it with the preceding memory-allocation sequence. APC injection is detectable via Event Tracing for Windows (ETW) thread-pool and APC-queue events. Look for threads whose start addresses point to regions recently written by a different process.

PPID Spoofing

Mechanism. The Parent Process ID passed to CreateProcess through its extended attribute list (PROC_THREAD_ATTRIBUTE_PARENT_PROCESS) can be set to any process the attacker holds a handle to, so the child appears to descend from a chosen parent rather than its real creator. This is more than cosmetic disguise: the child also inherits from the designated parent, so attackers use it to pick up a different token (for example moving from an administrator context to SYSTEM, or from a local account to a domain one) or to inherit handles the parent already holds.

Why this is possible. Assigning a custom parent through process attributes is a documented Windows feature, used legitimately by consent.exe during UAC elevation and by virtualization and container tooling. It runs entirely in user mode and needs only a handle to the target parent.

Real-world use. Cobalt Strike implements PPID spoofing (its ppid and spawnto controls), and the framework is used by more than 30 APT groups (MITRE ATT&CK S0154). The technique is cataloged at MITRE ATT&CK T1134.004 Parent PID Spoofing.

Detection angle. The kernel’s process-creation notification exposes both the creator (the process that actually called CreateProcess) and the declared parent (the process designated for inheritance); a mismatch between the two, or a declared parent that does not fit the kernel-visible ancestry, is the signal. Tooling that reads only the declared parent is spoofable.

Command-Line Spoofing

Mechanism. The command line captured in process telemetry is a one-time snapshot taken from the CreateProcess parameters at creation. Because the PEB belongs to the process and stays writable afterward, an attacker can rewrite the child’s PEB so it reports a different command line than the one the security tool recorded at callback time.

Why this is possible. Nothing keeps the PEB synchronized with the parameters the creation callback captured; the process owns its PEB and can overwrite the stored command line, and other fields, once it is running.

Real-world use. Cobalt Strike implements argument spoofing through its argue control, and the technique appears broadly across intrusions that use the framework. The same PEB-rewriting primitive has a sharper edge: because some Windows auto-elevation checks read the requesting process’s PEB image path, a process that presents itself there as explorer.exe or notepad.exe can trigger auto-elevated COM behavior and bypass UAC (FuzzySecurity, Anatomy of UAC Attacks).

Detection angle. Compare the command line captured at callback time against what the process later reports through WMI or direct PEB inspection; a mismatch indicates post-creation PEB modification.

Path Spoofing via Bind Links

Mechanism. Windows Bind Filter (bindflt.sys, present since Windows 10 RS4, API surface exposed via bindfltapi.dll from 20H1 and bindlink.dll from 24H2) redirects file I/O from a source path to a target path. Bind links are non-persistent, can shadow files that already exist, and can be scoped globally or per-silo (a silo is a Windows isolation primitive, a “super-job,” that underlies Windows containers).

In process-binding, the attacker creates a global bind link that shadows a legitimate executable’s path with a malicious file. Every path-reporting API (PsGetProcessImageFileName, SeLocateProcessImageName, Process Explorer, System Informer, Sysmon event ID 1) returns the original legitimate path while the image loader executes the attacker’s file.

In silo-binding (described as “Ghost in the Silo” in Bitdefender’s research), the attacker combines a per-silo bind link with an inverse global link: the malicious path resolves to the attacker’s image only inside the silo, and to the clean file everywhere else. Per-silo links also avoid the bind-link veto callback that global links trigger, removing one detection opportunity.

Why this is possible. Bind links are a documented Windows feature used by Store app virtualization, Windows Sandbox, and Docker for Windows; standard process-notification APIs return the virtualized path, not the real backing file, and the API needed to recover the real backing file (IoGetShadowFileInformation) is available only from Windows 11 22H2 onward and is not used by most monitoring tools. Requires local administrator privileges.

Real-world use. Bitdefender Labs research demonstrated silo-binding defeating AppLocker block rules, Windows Firewall per-application rules, and Sysmon process-create (event ID 1) and image-load (event ID 7) events (Bitdefender research, 2026). Public tooling is available at Bitdefender bindutil-toolset, GitHub. Sysmon became an optional built-in Windows feature in Windows 11 and Server 2025, though it is disabled by default and requires explicit enablement (Microsoft Learn, 2025); native inclusion does not widen exposure to this attack without opt-in configuration.

Detection angle. Do not trust the image path or file hash from the process-creation notification as a verification anchor. Recover the real backing file via IoGetShadowFileInformation on Windows 11 22H2 and later. Flag bind links targeting security-product directories or \Windows\System32. Flag per-silo bind links as anomalous absent confirmed container workloads.

Token Impersonation and Theft

Mechanism. From an administrator-level foothold, the attacker identifies a process running under a privileged token: a SYSTEM-level service or a domain-privileged account. Using OpenProcessToken and DuplicateToken, the attacker copies that token. The duplicate is then used either for in-thread impersonation via ImpersonateLoggedOnUser, affecting only the current thread’s security context while the process token remains unchanged, or to spawn a new process under the stolen identity via CreateProcessWithTokenW.

Why this is possible. Thread impersonation is a deliberately designed Windows feature for services acting on behalf of clients; the APIs that manipulate tokens are available to any process holding SeDebugPrivilege (to open the source process) and SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege (to use the duplicate token).

Real-world use. Token theft is a standard capability in post-exploitation frameworks. Mimikatz, Cobalt Strike, and Metasploit all implement it. MITRE catalogs the family under MITRE ATT&CK, Access Token Manipulation T1134 with the impersonation and theft sub-technique at MITRE ATT&CK, T1134.001 Token Impersonation/Theft. In practice the highest-value use is lateral movement: impersonating or stealing the token of a privileged domain account, ideally a domain administrator, lets the attacker authenticate to other machines as that user without ever knowing the password, turning one compromised host into a foothold across the domain.

Detection angle. Thread-level token divergence from the parent process token, absent a legitimate service impersonation reason, is a high-fidelity signal. Monitor SeDebugPrivilege and SeImpersonatePrivilege enablement events: most legitimate software enables SeDebugPrivilege only transiently. CreateProcessWithTokenW calls from non-system processes are rarely legitimate.

Taxonomy boundary. The techniques above cover the most commonly observed variants of the process-impersonation and injection family. For a complete catalog of process-injection sub-techniques, see MITRE ATT&CK T1055. Techniques such as reflective DLL loading and process reimaging variants are not covered here.

Common Mistakes and Misconceptions

The techniques above succeed less because they are sophisticated than because they exploit assumptions defenders hold without examining them. Each of the following feels reasonable and quietly lets one or more of these attacks through.

“The process name and path tell me what’s running”

This conflates the visible identity with execution state. Process name spoofing plants a trusted name at an unexpected path. Process hollowing, ghosting, and doppelganging execute a payload in a process whose name, path, and on-disk file are all legitimate. Bind-link path spoofing makes the reported path itself resolve to a different file than the one executing. Name and path are useful as a first filter; they cannot verify execution state. Reliable detection requires comparing in-memory code against the on-disk image or, for bind-link attacks, recovering the real backing file below the virtualization layer via IoGetShadowFileInformation.

“All thread injection is malicious”

Thread injection into a remote process is a core Windows design feature. Debuggers attach by injecting threads. Profilers, application performance monitoring agents, antivirus engines, and DRM systems all use cross-process memory operations and thread manipulation. Flagging every VirtualAllocExWriteProcessMemory CreateRemoteThread sequence as an attack produces false positives on developer workstations and monitoring infrastructure. The relevant signals are context: which process is the injector, which process is the target, does the injector have a documented reason to instrument the target, and does the allocated region have no legitimate backing file?

“PPID spoofing requires kernel access”

It does not. The CreateProcess extended attribute for a custom parent handle is a documented user-mode API, available since Windows Vista. The calling process needs a handle to the desired parent with PROCESS_CREATE_PROCESS access rights, which a local administrator can obtain entirely in user space. This makes PPID spoofing accessible to post-exploitation frameworks running on a compromised administrator session, not just rootkits or kernel exploits.

“The image path and hash my tool reported identify the file that’s actually running”

Process hollowing, ghosting, and herpaderping each break the link between the on-disk file and the in-memory code, making hash comparison unreliable at the file layer. Bind-link path spoofing breaks the relationship at the filesystem layer: the path your tool reports is the source path of the bind link, and hashing the file at that path returns a hash of the wrong file. Reliable verification requires going below the virtualization layer and comparing code in memory against the real backing file, not the path the process-notification API returned.

What Legitimate Process Activity Looks Like

No signal below is sufficient alone; the value is in knowing which hold up and which collapse against which technique. Each is rated against a standard Windows 10/11 enterprise baseline.

Signal

Reliability

Notes

Process name matches expected canonical path

Medium

Catches name spoofing; does not catch hollowing, ghosting, or bind-link attacks

On-disk hash of reported image path

Low

Defeated by hollowing, ghosting, herpaderping, and bind-link path spoofing

Declared parent PID matches kernel process tree

Medium

PPID spoofing is a user-mode API call; tuning required for virtualization tooling

Disk-versus-memory image comparison

High

Catches hollowing, ghosting, herpaderping, doppelganging; does not catch bind-link path spoofing

Remote thread creation by a non-instrumenting parent

High

Legitimate on developer machines; rarely seen in production without known tooling

Thread token diverges from process primary token without service reason

High

Impersonation without a client call in context is anomalous

Bind link targeting protected directories

High

Legitimate use cases are bounded to known container workloads

Command-line mismatch between callback snapshot and runtime PEB

High

Divergence indicates post-creation PEB modification

Reliability: High means the signal produces very few false positives in a standard Windows 10/11 enterprise environment. Medium means legitimate software occasionally triggers it and tuning is required. Low means the signal is insufficient as a standalone detection.

Note: image-path and hash signals drop to unreliable specifically against bind-link path spoofing. Detection stacks that depend on these signals for verification require supplementation with the IoGetShadowFileInformation recovery path on Windows 11 22H2 and later.

Mitigation

Prevention and detection for this family both require moving below visible-identity signals:

  • Memory scanning over file scanning. Comparing in-memory code against the mapped image catches hollowing, ghosting, herpaderping, and doppelganging. File-hash allow-listing cannot.

  • Kernel-level process monitoring. Process-create callbacks fire on first-thread execution and can miss pre-creation image manipulation. Supplementing with minifilter callbacks and memory-integrity checks extends coverage into the timing window.

  • Privilege monitoring. Log SeDebugPrivilege and SeImpersonatePrivilege enablement events. Most legitimate software enables SeDebugPrivilege only transiently for specific operations. Monitor CreateProcessWithTokenW calls from non-system processes.

  • Parent-process verification. Compare the declared parent PID against the kernel process tree. Tooling that ingests only the process-create event’s reported parent is spoofable.

  • Bind-link detection. Enumerate active bind links at the kernel filter level. Flag links targeting system directories, security-product directories, or paths used by privileged processes. On Windows 11 22H2 and later, recover the real backing file via IoGetShadowFileInformation rather than trusting the reported path.

  • Behavioral baselines. Network connections, file access patterns, and API call sequences for svchost.exe, lsass.exe, and other privileged processes are well-characterized. Deviations from those baselines catch the payload’s behavior even when the visible identity is intact.

How GravityZone Addresses Process Impersonation

GravityZone layers multiple detection mechanisms against this technique family, avoiding dependence on visible-identity signals the attacks are designed to defeat:

  • Advanced Threat Control (ATC) monitors API call sequences and behavioral patterns at runtime, independently of the process name or on-disk file. ATC catches injection chains, privilege manipulation, and anomalous process behavior without relying on file signatures. See Advanced Threat Control and Process Protection, TechZone.

  • Process Protection provides kernel-level introspection that detects hollowing and injection by comparing in-memory image state against what the image loader mapped, flagging disk-versus-memory divergence. See Process Protection, TechZone.

  • API and ETW monitoring covers the cross-process API chains used by thread injection (VirtualAllocEx, WriteProcessMemory, CreateRemoteThread) and token theft (DuplicateToken, CreateProcessWithTokenW). These sequences are logged and evaluated in behavioral context.

  • Memory scanning runs independently of file-based reputation, making it effective against ghosting, herpaderping, and doppelganging where the backing file is absent, deleted, or overwritten by the time file scanning would occur.

The Takeaway

Every technique in the process-impersonation family bets on the same blind spot: that defenders will act on what the visible identity reports. Process hollowing replaces the in-memory code while leaving the name and path intact. Doppelganging and ghosting make the on-disk file unavailable for comparison. Herpaderping overwrites it after the mapping is created. Bind links redirect the path itself. PPID spoofing and command-line modification manipulate what the callback sees. Token theft skips the visible identity entirely and attacks the security layer directly.

The defenses that hold across all ten variants share one property: they go below the visible identity to kernel state, memory contents, and behavioral sequences. A process name is not what is executing. A file hash is not what is in memory. The image path is not necessarily the file that ran. Detection built on those assumptions fails precisely the cases where it matters most.