name: detecting-process-hollowing-technique
description: Detect process hollowing (T1055.012) by analyzing memory-mapped sections, hollowed process indicators, and parent-child
process anomalies in EDR telemetry.
domain: cybersecurity
subdomain: threat-hunting
tags:
- threat-hunting
- mitre-attack
- process-hollowing
- process-injection
- edr
- t1055
- proactive-detection
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Platform Monitoring
- Process Code Segment Verification
- Segment Address Offset Randomization
- Process Analysis
- Application Hardening
nist_csf:
- DE.CM-01
- DE.AE-02
- DE.AE-07
- ID.RA-05
Detecting Process Hollowing Technique
When to Use
- When investigating suspected fileless malware or in-memory threats
- After EDR alerts on process injection or suspicious memory operations
- When hunting for defense evasion techniques in a compromised environment
- When threat intel reports indicate process hollowing in active campaigns
- During purple team exercises validating T1055.012 detection coverage
Detection Gaps & Validation
- Event ID 25 requires Sysmon 13+: ProcessTampering (the cleanest hollowing signal) does not exist on older agents — confirm the Sysmon version or you silently miss every hollowing event. EID 25 also only flags image/section divergence, not all RunPE variants.
- CREATE_SUSPENDED is not logged directly: the suspended-create → unmap → write → resume chain has no single event. Stitch EID 1 (process create) + EID 8 (CreateRemoteThread) + EID 10 (ProcessAccess
0x0008 PROCESS_VM_OPERATION / 0x0020 PROCESS_VM_WRITE) on the same target PID.
- Image-mismatch hunting: compare Sysmon EID 7 (ImageLoaded)
OriginalFileName/hash against the on-disk path; a svchost.exe with no services.exe parent (EID 1 ParentImage) and outbound EID 3 is a strong tell.
- Evasions: process doppelgänging (T1055.013, NTFS transactions) and process ghosting bypass EID 25; module stomping reuses a legit DLL's memory so ImageLoaded looks clean — fall back to pe-sieve, Hollows Hunter, or Moneta memory scans.
- Validate: run Atomic Red Team T1055.012 (or a known RunPE PoC) and confirm EID 25 plus the EID 8/10 correlation fire in the SIEM.
- Tune FPs: debuggers, AV/EDR, and installers legitimately write cross-process memory — exclude by signed SourceImage and known RMM/security tooling, not by target name.
Prerequisites
- EDR with memory protection monitoring (CrowdStrike, MDE, SentinelOne)
- Sysmon with Event IDs 1 (Process Create), 8 (CreateRemoteThread), 25 (ProcessTampering)
- Windows ETW providers for process hollowing (Microsoft-Windows-Kernel-Process)
- Memory forensics capabilities (Volatility, WinDbg)
- Process integrity monitoring tools
Workflow
- Understand Hollowing Mechanics: Process hollowing involves creating a legitimate process in suspended state, unmapping its memory, writing malicious code, then resuming execution.
- Monitor Suspended Process Creation: Hunt for processes created with CREATE_SUSPENDED flag followed by memory writes and thread resumption.
- Detect Memory Section Anomalies: Identify processes where the in-memory image differs from the on-disk binary (image mismatch).
- Analyze Parent-Child Process Trees: Flag processes whose behavior does not match their binary name (e.g., svchost.exe making unusual network connections).
- Check Process Integrity: Compare process memory sections against the legitimate binary on disk.
- Correlate with Network Activity: Hollowed processes often establish C2 connections - correlate suspicious process behavior with network logs.
- Document and Contain: Report findings, isolate affected endpoints, and update detection rules.
Key Concepts
| Concept |
Description |
| T1055.012 |
Process Injection: Process Hollowing |
| T1055 |
Process Injection (parent technique) |
| T1055.001 |
DLL Injection |
| T1055.003 |
Thread Execution Hijacking |
| T1055.004 |
Asynchronous Procedure Call |
| CREATE_SUSPENDED |
Windows flag to create a process in suspended state |
| NtUnmapViewOfSection |
API to unmap process memory sections |
| WriteProcessMemory |
API to write into another process's memory |
| ResumeThread |
API to resume a suspended thread |
| Image Mismatch |
Process memory content differs from on-disk binary |
| Process Doppelganging |
Related technique using NTFS transactions (T1055.013) |
Tools & Systems
| Tool |
Purpose |
| CrowdStrike Falcon |
Memory protection and hollowing detection |
| Microsoft Defender for Endpoint |
ProcessTampering alerts |
| Sysmon v13+ |
Event ID 25 ProcessTampering detection |
| Volatility |
Memory forensics - malfind plugin |
| pe-sieve |
Process memory scanner for hollowed processes |
| Hollows Hunter |
Automated hollowed process detection |
| Process Hacker |
Live process memory inspection |
| API Monitor |
Monitor NtUnmapViewOfSection calls |
Common Scenarios
- Svchost.exe Hollowing: Malware creates svchost.exe suspended, hollows it, injects backdoor code - process appears legitimate but behaves maliciously.
- Explorer.exe Hollowing: Attacker hollows explorer.exe to inherit its network permissions and trusted process context.
- Rundll32 Hollowing: Malicious loader creates rundll32.exe, replaces its memory with implant code for C2 beaconing.
- Multi-Stage Hollowing: Loader uses process hollowing as first stage, then performs additional injection into services.
Output Format
Hunt ID: TH-HOLLOW-[DATE]-[SEQ]
Technique: T1055.012
Hollowed Process: [Process name and PID]
Original Binary: [Expected on-disk path]
Parent Process: [Parent name and PID]
Memory Mismatch: [Yes/No]
Suspicious APIs: [NtUnmapViewOfSection, WriteProcessMemory, etc.]
Network Activity: [C2 connections if any]
Host: [Hostname]
User: [Account context]
Risk Level: [Critical/High/Medium/Low]
By