T1055.012 Elastic Security · Elastic

Detect Process Hollowing in Elastic Security

Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess (which includes a flag to suspend the processes primary thread). At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively. This is a widely-used technique employed by Cobalt Strike, Emotet, QakBot, and many other threat actors.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.012 Process Hollowing
Canonical reference
https://attack.mitre.org/techniques/T1055/012/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where event.action == "start" and
  process.name in~ ("svchost.exe", "explorer.exe", "rundll32.exe", "notepad.exe", "cmd.exe",
                     "mspaint.exe", "calc.exe", "dllhost.exe", "werfault.exe", "iexplore.exe",
                     "MSBuild.exe", "RegAsm.exe", "InstallUtil.exe", "vbc.exe", "certutil.exe") and
  not process.parent.name in~ ("services.exe", "svchost.exe", "explorer.exe", "winlogon.exe",
                                "smss.exe", "csrss.exe", "wininit.exe") and
  (
    process.command_line == null or
    process.command_line == "" or
    length(process.command_line) < 5 or
    (process.name like~ "svchost.exe" and not process.command_line like "* -k *")
  )
high severity high confidence

Detects process hollowing (T1055.012) by identifying hollow-candidate Windows processes spawned from anomalous parent processes with null, empty, or near-empty command lines — a hallmark of CreateProcess with CREATE_SUSPENDED followed by ZwUnmapViewOfSection memory unmapping. Critical cases include svchost.exe not spawned from services.exe and .NET LOLBins (MSBuild, RegAsm, InstallUtil) with no arguments. Uses Elastic EQL case-insensitive in~ operator for resilient process name matching.

Data Sources

Elastic Endpoint (elastic-agent endpoint integration)Winlogbeat 8.x shipping Windows Event LogsFilebeat Sysmon module (Microsoft-Windows-Sysmon/Operational)

Required Tables

logs-endpoint.events.process-*winlogbeat-*

False Positives & Tuning

  • Build automation invoking MSBuild.exe, vbc.exe, or InstallUtil.exe without arguments during CI/CD pipeline initialization steps before arguments are passed programmatically via stdin or temp files
  • Application virtualization platforms such as App-V or Citrix Virtual Apps that suspend and patch process memory as part of their application streaming layer, creating hollow-like process states
  • Security tools or EDR agents that deliberately spawn known processes in suspended state for controlled behavioral analysis, memory forensics, or canary-based injection detection
Download portable Sigma rule (.yml)

Other platforms for T1055.012

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Process Hollowing Detection - Anomalous svchost.exe Parent

    Expected signal: Sysmon Event ID 1: svchost.exe with ParentImage=powershell.exe and empty/minimal CommandLine. This is a CRITICAL indicator — svchost.exe should only be spawned by services.exe with -k arguments.

  2. Test 2MSBuild.exe Hollowing Target Simulation

    Expected signal: Sysmon Event ID 1: MSBuild.exe spawned by PowerShell with empty CommandLine. MSBuild.exe normally requires a project file as argument — empty execution is anomalous.

  3. Test 3Hollowed notepad.exe with Network Connection Check

    Expected signal: Sysmon Event ID 1: notepad.exe spawned by cmd.exe. Sysmon Event ID 3: If notepad.exe makes network connections (it shouldn't normally). Security Event ID 4688 with command line auditing.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1055.012 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.013Process DoppelgangingT1055.014VDSO HijackingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.013Process DoppelgangingT1036.005Match Legitimate Resource Name or LocationT1218.004InstallUtilT1127.001MSBuild

Same Tactic: Defense Evasion

Popular Detections