T1055.012 Process Hollowing Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect Process Hollowing via suspended process creation + memory unmapping
// Key indicator: legitimate process spawned by unusual parent with empty/mismatched command line
let HollowingTargets = dynamic(["svchost.exe", "explorer.exe", "rundll32.exe", "notepad.exe", "cmd.exe", "mspaint.exe", "calc.exe", "dllhost.exe", "werfault.exe", "iexplore.exe", "MSBuild.exe", "RegAsm.exe", "InstallUtil.exe", "vbc.exe", "certutil.exe"]);
let LegitParents = dynamic(["services.exe", "svchost.exe", "explorer.exe", "winlogon.exe", "System", "smss.exe", "csrss.exe", "wininit.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (HollowingTargets)
| where InitiatingProcessFileName !in~ (LegitParents)
| where ProcessCommandLine == "" or ProcessCommandLine == FileName or strlen(ProcessCommandLine) < 5
  or (FileName =~ "svchost.exe" and ProcessCommandLine !has "-k")
| extend HollowingIndicator = case(
    FileName =~ "svchost.exe" and InitiatingProcessFileName !=~ "services.exe", "Critical - svchost.exe not from services.exe",
    FileName in~ ("MSBuild.exe", "RegAsm.exe", "InstallUtil.exe") and strlen(ProcessCommandLine) < 5, "Critical - .NET LOLBin with empty cmdline",
    strlen(ProcessCommandLine) < 5, "High - Empty command line (CREATE_SUSPENDED indicator)",
    true, "Medium - Unusual parent-child relationship"
)
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine,
         FileName, ProcessCommandLine, ProcessId, HollowingIndicator
| sort by Timestamp desc

critical severity high confidence

Data Sources

Process: Process Creation Process: Process Access Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate COM activation spawning dllhost.exe with minimal arguments
Windows Error Reporting spawning WerFault.exe
Application installers creating helper processes that appear with minimal command lines
Debugging scenarios where processes are started suspended intentionally

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\svchost.exe" OR Image="*\\explorer.exe" OR Image="*\\rundll32.exe" OR Image="*\\notepad.exe" OR Image="*\\cmd.exe" OR Image="*\\MSBuild.exe" OR Image="*\\RegAsm.exe" OR Image="*\\InstallUtil.exe" OR Image="*\\vbc.exe" OR Image="*\\certutil.exe" OR Image="*\\iexplore.exe" OR Image="*\\werfault.exe" OR Image="*\\dllhost.exe")
  NOT (ParentImage="*\\services.exe" OR ParentImage="*\\svchost.exe" OR ParentImage="*\\explorer.exe" OR ParentImage="*\\winlogon.exe" OR ParentImage="System" OR ParentImage="*\\smss.exe" OR ParentImage="*\\csrss.exe")
| eval CmdLen=len(CommandLine)
| eval ImageName=mvindex(split(Image, "\\"), -1)
| eval HollowIndicator=case(
    ImageName="svchost.exe" AND NOT ParentImage="*\\services.exe", "CRITICAL - svchost hollowing",
    match(ImageName, "(MSBuild|RegAsm|InstallUtil)\.exe") AND CmdLen < 10, "CRITICAL - .NET LOLBin hollowing",
    CmdLen < 5 OR isnull(CommandLine), "HIGH - Empty command line",
    1=1, "MEDIUM - Unusual parent-child"
)
| table _time, host, User, ParentImage, ParentCommandLine, Image, CommandLine, CmdLen, HollowIndicator
| sort - _time

critical severity high confidence

Data Sources

Process: Process Creation Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

COM activation creating dllhost.exe with minimal arguments
Windows Error Reporting creating WerFault.exe
Application installers using helper processes
Debugging tools creating suspended processes

Elastic Security (EQL)

eql

process where event.action == "start" and
  process.name in~ ("svchost.exe", "explorer.exe", "rundll32.exe", "notepad.exe", "cmd.exe",
                     "mspaint.exe", "calc.exe", "dllhost.exe", "werfault.exe", "iexplore.exe",
                     "MSBuild.exe", "RegAsm.exe", "InstallUtil.exe", "vbc.exe", "certutil.exe") and
  not process.parent.name in~ ("services.exe", "svchost.exe", "explorer.exe", "winlogon.exe",
                                "smss.exe", "csrss.exe", "wininit.exe") and
  (
    process.command_line == null or
    process.command_line == "" or
    length(process.command_line) < 5 or
    (process.name like~ "svchost.exe" and not process.command_line like "* -k *")
  )

high severity high confidence

Data Sources

Elastic Endpoint (elastic-agent endpoint integration) Winlogbeat 8.x shipping Windows Event Logs Filebeat Sysmon module (Microsoft-Windows-Sysmon/Operational)

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Build automation invoking MSBuild.exe, vbc.exe, or InstallUtil.exe without arguments during CI/CD pipeline initialization steps before arguments are passed programmatically via stdin or temp files
Application virtualization platforms such as App-V or Citrix Virtual Apps that suspend and patch process memory as part of their application streaming layer, creating hollow-like process states
Security tools or EDR agents that deliberately spawn known processes in suspended state for controlled behavioral analysis, memory forensics, or canary-based injection detection

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS HostIP,
  username AS UserAccount,
  "Image" AS ProcessImage,
  "ParentImage" AS ParentProcessImage,
  "CommandLine" AS CommandLine,
  "ParentCommandLine" AS ParentCommandLine,
  CASE
    WHEN "Image" ILIKE '%\\svchost.exe' AND "ParentImage" NOT ILIKE '%\\services.exe'
      THEN 'CRITICAL - svchost.exe not spawned from services.exe'
    WHEN ("Image" ILIKE '%\\MSBuild.exe' OR "Image" ILIKE '%\\RegAsm.exe' OR "Image" ILIKE '%\\InstallUtil.exe')
      AND (LENGTH("CommandLine") < 10 OR "CommandLine" IS NULL OR "CommandLine" = '')
      THEN 'CRITICAL - .NET LOLBin with empty command line'
    WHEN LENGTH("CommandLine") < 5 OR "CommandLine" IS NULL OR "CommandLine" = ''
      THEN 'HIGH - Empty command line indicating CREATE_SUSPENDED'
    ELSE 'MEDIUM - Unusual parent-child relationship'
  END AS HollowingIndicator
FROM events
WHERE LOGSOURCETYPEID(devicetype) IN (12, 119) -- 12=Windows Security, 119=Sysmon; verify IDs for your deployment
  AND (
    "Image" ILIKE '%\\svchost.exe'   OR "Image" ILIKE '%\\rundll32.exe'  OR
    "Image" ILIKE '%\\notepad.exe'   OR "Image" ILIKE '%\\cmd.exe'       OR
    "Image" ILIKE '%\\mspaint.exe'   OR "Image" ILIKE '%\\calc.exe'      OR
    "Image" ILIKE '%\\dllhost.exe'   OR "Image" ILIKE '%\\werfault.exe'  OR
    "Image" ILIKE '%\\iexplore.exe'  OR "Image" ILIKE '%\\MSBuild.exe'   OR
    "Image" ILIKE '%\\RegAsm.exe'    OR "Image" ILIKE '%\\InstallUtil.exe' OR
    "Image" ILIKE '%\\vbc.exe'       OR "Image" ILIKE '%\\certutil.exe'
  )
  AND "ParentImage" NOT ILIKE '%\\services.exe'
  AND "ParentImage" NOT ILIKE '%\\svchost.exe'
  AND "ParentImage" NOT ILIKE '%\\explorer.exe'
  AND "ParentImage" NOT ILIKE '%\\winlogon.exe'
  AND "ParentImage" NOT ILIKE '%\\smss.exe'
  AND "ParentImage" NOT ILIKE '%\\csrss.exe'
  AND "ParentImage" NOT ILIKE '%\\wininit.exe'
  AND (LENGTH("CommandLine") < 5 OR "CommandLine" IS NULL OR "CommandLine" = '')
ORDER BY devicetime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

IBM QRadar with Microsoft Windows Sysmon DSM IBM QRadar with Windows Security Event Log DSM (EventCode 4688 with command line auditing enabled)

Required Tables

events

False Positives

SCCM or Intune managed deployment workflows spawning cmd.exe or certutil.exe with no initial arguments during software distribution health checks before dynamic argument injection via WMI
Remote desktop or session-host infrastructure spawning explorer.exe or cmd.exe with no command line during user session initialization, originating from non-standard parent processes like the RDP stack
Custom in-house tooling or IT automation agents designed to launch helper processes with empty command lines before programmatically passing work via stdin, named pipes, or shared memory IPC

Sumo Logic CSE

sql

_index=sec_record* objectType="process" action="create"
| where baseImage in ("svchost.exe", "explorer.exe", "rundll32.exe", "notepad.exe", "cmd.exe",
    "mspaint.exe", "calc.exe", "dllhost.exe", "werfault.exe", "iexplore.exe",
    "MSBuild.exe", "RegAsm.exe", "InstallUtil.exe", "vbc.exe", "certutil.exe")
| where parentBaseImage not in ("services.exe", "svchost.exe", "explorer.exe",
    "winlogon.exe", "smss.exe", "csrss.exe", "wininit.exe")
| where length(commandLine) < 5 or isNull(commandLine) or commandLine = ""
    or (baseImage = "svchost.exe" and !(commandLine contains "-k"))
| eval hollowingIndicator = if(baseImage = "svchost.exe" and parentBaseImage != "services.exe",
    "CRITICAL - svchost hollowing",
    if(baseImage in ("MSBuild.exe", "RegAsm.exe", "InstallUtil.exe")
        and (length(commandLine) < 10 or isNull(commandLine)),
      "CRITICAL - .NET LOLBin hollow",
      if(length(commandLine) < 5 or isNull(commandLine),
        "HIGH - Empty command line",
        "MEDIUM - Unusual parent-child relationship")))
| fields _messageTime, srcDevice_hostname, user_username, parentBaseImage,
         parentCommandLine, baseImage, commandLine, hollowingIndicator
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM (CSE) with Windows Sysmon normalization mapper Sumo Logic CSE with CrowdStrike Falcon mapper Sumo Logic CSE with VMware Carbon Black Cloud mapper

Required Tables

sec_record (Sumo Logic CSE normalized index)

False Positives

Ansible, Chef, or Puppet configuration management agents spawning cmd.exe or PowerShell via non-standard parent wrappers with no command line arguments during node provisioning or configuration drift correction
Software license validation modules that launch certutil.exe or InstallUtil.exe with no arguments as a first-pass system check before constructing and passing the actual command line at runtime
Helpdesk or remote-support software (TeamViewer, AnyDesk, ConnectWise) spawning explorer.exe or cmd.exe as part of screen-sharing or file-transfer session establishment from their own agent parent process

Google Chronicle / SecOps

yaral

rule process_hollowing_t1055_012 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects process hollowing (T1055.012) via anomalous parent-child process relationships with empty or near-empty command lines on hollow-candidate processes, consistent with CreateProcess(CREATE_SUSPENDED) + NtUnmapViewOfSection + WriteProcessMemory hollowing chain"
    severity = "HIGH"
    mitre_attack_technique = "T1055.012"
    mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
    reference = "https://attack.mitre.org/techniques/T1055/012/"
    yara_version = "YARA-L 2.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.target.process.file.full_path,
      `(?i)\\(svchost|explorer|rundll32|notepad|cmd|mspaint|calc|dllhost|werfault|iexplore|MSBuild|RegAsm|InstallUtil|vbc|certutil)\.exe$`)
    not re.regex($e.principal.process.file.full_path,
      `(?i)\\(services|svchost|explorer|winlogon|smss|csrss|wininit)\.exe$`)
    (
      $e.target.process.command_line = "" or
      re.regex($e.target.process.command_line, `^.{0,4}$`) or
      (
        re.regex($e.target.process.file.full_path, `(?i)\\svchost\.exe$`) and
        not re.regex($e.target.process.command_line, `(?i)-k`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle with CrowdStrike Falcon ingestion feed Google Chronicle with Microsoft Sysmon via Chronicle Forwarder Google Chronicle with Carbon Black Response or CB Sensor feed

Required Tables

UDM events — PROCESS_LAUNCH event type

False Positives

Some .NET application bootstrappers invoke MSBuild.exe or InstallUtil.exe from a non-standard parent without command line arguments as a first step, loading assembly arguments from an embedded resource or config file at runtime
System management scripts using WMI Win32_Process.Create to spawn cmd.exe or rundll32.exe with blank arguments for remote health checks, where WMI host (WmiPrvSE.exe) acts as the parent rather than a standard trusted parent
Anti-cheat or DRM components (e.g. in gaming software) that intentionally spawn hollow-candidate processes in suspended state for integrity attestation before resuming execution, generating false CREATE_SUSPENDED signals

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| FileName in ["svchost.exe", "explorer.exe", "rundll32.exe", "notepad.exe", "cmd.exe",
               "mspaint.exe", "calc.exe", "dllhost.exe", "werfault.exe", "iexplore.exe",
               "MSBuild.exe", "RegAsm.exe", "InstallUtil.exe", "vbc.exe", "certutil.exe"]
| not ParentBaseFileName in ["services.exe", "svchost.exe", "explorer.exe",
                              "winlogon.exe", "smss.exe", "csrss.exe", "wininit.exe"]
| CmdLen := length(CommandLine)
| CmdLen < 5 or CommandLine = ""
| case {
    FileName = "svchost.exe" and ParentBaseFileName != "services.exe"
      | HollowingIndicator := "CRITICAL - svchost.exe hollowing" ;
    FileName in ["MSBuild.exe", "RegAsm.exe", "InstallUtil.exe"] and CmdLen < 10
      | HollowingIndicator := "CRITICAL - .NET LOLBin hollow" ;
    CmdLen < 5 or CommandLine = ""
      | HollowingIndicator := "HIGH - Empty command line" ;
    *
      | HollowingIndicator := "MEDIUM - Unusual parent-child relationship"
  }
| table([@timestamp, ComputerName, UserName, ParentBaseFileName, ParentCommandLine,
         FileName, CommandLine, HollowingIndicator])
| sort(field=@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon sensor telemetry via Falcon LogScale (ProcessRollup2 events)

Required Tables

ProcessRollup2 (CrowdStrike Falcon event type)

False Positives

Package management or software deployment agents (Chocolatey, WinGet wrappers) that invoke cmd.exe or certutil.exe with empty arguments under a non-standard updater parent process during silent install pre-checks
Endpoint backup or DR recovery agents that spawn notepad.exe or calc.exe with no arguments as a live user-session canary to confirm interactive desktop presence before initiating file-level backup operations
Some enterprise monitoring or observability agents spawn dllhost.exe or werfault.exe with minimal arguments as COM surrogate health probes from their own service process rather than from the expected svchost.exe parent

Process Hollowing

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections