Windows ProjFS Internals: A Technical Deep Dive | Huntress
ATT&CK techniques detected
T1055.001Dynamic-link Library Injection
84%
"for when fileread operations happen as well, because whenever someone wants to read from a file, the provider has to support the getfiledatacallback callback, which, within the callback, the provider can either call prjwritefiledata or not project any data and return an error ( a…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
70%
"for when fileread operations happen as well, because whenever someone wants to read from a file, the provider has to support the getfiledatacallback callback, which, within the callback, the provider can either call prjwritefiledata or not project any data and return an error ( a…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Huntress uncovers the mechanics of the Windows Projected File System. Explore the ProjFS driver, virtualization roots, and the PowerShell commands.