Detects adversary abuse of Transactional NTFS (TxF) and undocumented process loading mechanisms (e.g., NtCreateProcessEx) to create a hollowed process from an uncommitted, maliciously tainted file image in memory, later executed via NtCreateThreadEx.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| OS API Execution (DC0021) | etw:Microsoft-Windows-Kernel-Process | CreateTransaction, CreateFileTransacted, RollbackTransaction, NtCreateProcessEx, NtCreateThreadEx |
| Field | Description |
|---|---|
| TransactionExecutableNamePattern | Pattern of legitimate executables often used as doppelgänging targets (e.g., svchost.exe, calc.exe) |
| TimeWindow_TransactionToExecution | Time delta between TxF rollback and thread creation in hollowed process |
| ThreadStartEntropyThreshold | Entropy level of thread start address in memory used to detect obfuscated shellcode |
| TxF API Call Frequency Threshold | Limit on CreateTransaction + RollbackTransaction sequences per process |