EXPLORE
Sign In
← Back to Explore
T1055.012

Process Hollowing

Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process. Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as <code>CreateProcess</code>, which ...

Windows
8
Detections
2
Sources
7
Threat Actors

BY SOURCE

4elastic4sigma

PROCEDURES (8)

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Hollow1 detections

Auto-extracted: 1 detections for hollow

Hollow1 detections

Auto-extracted: 1 detections for hollow

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Inject1 detections

Auto-extracted: 1 detections for inject

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Unusual1 detections

Auto-extracted: 1 detections for unusual

THREAT ACTORS (7)

BlackByteGorgon GroupKimsukymenuPassPatchworkTA2541Threat Group-3390

DETECTIONS (8)

HackTool - CACTUSTORCH Remote Thread Creation
sigmahigh
HackTool - HollowReaper Execution
sigmahigh
Potential Process Hollowing Activity
sigmamedium
Suspicious Endpoint Security Parent Process
elasticmedium
Suspicious Process Creation CallTrace
elasticmedium
Uncommon Svchost Command Line Parameter
sigmahigh
Unusual Parent-Child Relationship
elasticmedium
Unusual Service Host Child Process - Childless Service
elasticmedium