Detect Process Hollowing in Google Chronicle
Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess (which includes a flag to suspend the processes primary thread). At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively. This is a widely-used technique employed by Cobalt Strike, Emotet, QakBot, and many other threat actors.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.012 Process Hollowing
- Canonical reference
- https://attack.mitre.org/techniques/T1055/012/
YARA-L Detection Query
rule process_hollowing_t1055_012 {
meta:
author = "Argus Detection Platform"
description = "Detects process hollowing (T1055.012) via anomalous parent-child process relationships with empty or near-empty command lines on hollow-candidate processes, consistent with CreateProcess(CREATE_SUSPENDED) + NtUnmapViewOfSection + WriteProcessMemory hollowing chain"
severity = "HIGH"
mitre_attack_technique = "T1055.012"
mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
reference = "https://attack.mitre.org/techniques/T1055/012/"
yara_version = "YARA-L 2.0"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
re.regex($e.target.process.file.full_path,
`(?i)\\(svchost|explorer|rundll32|notepad|cmd|mspaint|calc|dllhost|werfault|iexplore|MSBuild|RegAsm|InstallUtil|vbc|certutil)\.exe$`)
not re.regex($e.principal.process.file.full_path,
`(?i)\\(services|svchost|explorer|winlogon|smss|csrss|wininit)\.exe$`)
(
$e.target.process.command_line = "" or
re.regex($e.target.process.command_line, `^.{0,4}$`) or
(
re.regex($e.target.process.file.full_path, `(?i)\\svchost\.exe$`) and
not re.regex($e.target.process.command_line, `(?i)-k`)
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting process hollowing (T1055.012) using UDM PROCESS_LAUNCH events. In the UDM model, principal.process represents the parent (spawning) process and target.process represents the child process being launched. Matches hollow-candidate processes created outside trusted parent chains with empty or near-empty command lines. The svchost.exe branch additionally catches cases where svchost lacks the expected -k <ServiceGroupName> argument, a reliable indicator of hollowed svchost. Compatible with Falcon, Sysmon, and Carbon Black Chronicle ingestion feeds.
Data Sources
Required Tables
False Positives & Tuning
- Some .NET application bootstrappers invoke MSBuild.exe or InstallUtil.exe from a non-standard parent without command line arguments as a first step, loading assembly arguments from an embedded resource or config file at runtime
- System management scripts using WMI Win32_Process.Create to spawn cmd.exe or rundll32.exe with blank arguments for remote health checks, where WMI host (WmiPrvSE.exe) acts as the parent rather than a standard trusted parent
- Anti-cheat or DRM components (e.g. in gaming software) that intentionally spawn hollow-candidate processes in suspended state for integrity attestation before resuming execution, generating false CREATE_SUSPENDED signals
Other platforms for T1055.012
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Process Hollowing Detection - Anomalous svchost.exe Parent
Expected signal: Sysmon Event ID 1: svchost.exe with ParentImage=powershell.exe and empty/minimal CommandLine. This is a CRITICAL indicator — svchost.exe should only be spawned by services.exe with -k arguments.
- Test 2MSBuild.exe Hollowing Target Simulation
Expected signal: Sysmon Event ID 1: MSBuild.exe spawned by PowerShell with empty CommandLine. MSBuild.exe normally requires a project file as argument — empty execution is anomalous.
- Test 3Hollowed notepad.exe with Network Connection Check
Expected signal: Sysmon Event ID 1: notepad.exe spawned by cmd.exe. Sysmon Event ID 3: If notepad.exe makes network connections (it shouldn't normally). Security Event ID 4688 with command line auditing.
References (6)
- https://attack.mitre.org/techniques/T1055/012/
- https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
- https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md
- https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
Unlock Pro Content
Get the full detection package for T1055.012 including response playbook, investigation guide, and atomic red team tests.