Detect Process Hollowing in IBM QRadar
Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess (which includes a flag to suspend the processes primary thread). At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively. This is a widely-used technique employed by Cobalt Strike, Emotet, QakBot, and many other threat actors.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.012 Process Hollowing
- Canonical reference
- https://attack.mitre.org/techniques/T1055/012/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
LOGSOURCENAME(logsourceid) AS LogSource,
sourceip AS HostIP,
username AS UserAccount,
"Image" AS ProcessImage,
"ParentImage" AS ParentProcessImage,
"CommandLine" AS CommandLine,
"ParentCommandLine" AS ParentCommandLine,
CASE
WHEN "Image" ILIKE '%\\svchost.exe' AND "ParentImage" NOT ILIKE '%\\services.exe'
THEN 'CRITICAL - svchost.exe not spawned from services.exe'
WHEN ("Image" ILIKE '%\\MSBuild.exe' OR "Image" ILIKE '%\\RegAsm.exe' OR "Image" ILIKE '%\\InstallUtil.exe')
AND (LENGTH("CommandLine") < 10 OR "CommandLine" IS NULL OR "CommandLine" = '')
THEN 'CRITICAL - .NET LOLBin with empty command line'
WHEN LENGTH("CommandLine") < 5 OR "CommandLine" IS NULL OR "CommandLine" = ''
THEN 'HIGH - Empty command line indicating CREATE_SUSPENDED'
ELSE 'MEDIUM - Unusual parent-child relationship'
END AS HollowingIndicator
FROM events
WHERE LOGSOURCETYPEID(devicetype) IN (12, 119) -- 12=Windows Security, 119=Sysmon; verify IDs for your deployment
AND (
"Image" ILIKE '%\\svchost.exe' OR "Image" ILIKE '%\\rundll32.exe' OR
"Image" ILIKE '%\\notepad.exe' OR "Image" ILIKE '%\\cmd.exe' OR
"Image" ILIKE '%\\mspaint.exe' OR "Image" ILIKE '%\\calc.exe' OR
"Image" ILIKE '%\\dllhost.exe' OR "Image" ILIKE '%\\werfault.exe' OR
"Image" ILIKE '%\\iexplore.exe' OR "Image" ILIKE '%\\MSBuild.exe' OR
"Image" ILIKE '%\\RegAsm.exe' OR "Image" ILIKE '%\\InstallUtil.exe' OR
"Image" ILIKE '%\\vbc.exe' OR "Image" ILIKE '%\\certutil.exe'
)
AND "ParentImage" NOT ILIKE '%\\services.exe'
AND "ParentImage" NOT ILIKE '%\\svchost.exe'
AND "ParentImage" NOT ILIKE '%\\explorer.exe'
AND "ParentImage" NOT ILIKE '%\\winlogon.exe'
AND "ParentImage" NOT ILIKE '%\\smss.exe'
AND "ParentImage" NOT ILIKE '%\\csrss.exe'
AND "ParentImage" NOT ILIKE '%\\wininit.exe'
AND (LENGTH("CommandLine") < 5 OR "CommandLine" IS NULL OR "CommandLine" = '')
ORDER BY devicetime DESC
LAST 24 HOURSIBM QRadar AQL detection for process hollowing using Windows Security Event Log and Sysmon DSM custom properties (Image, ParentImage, CommandLine). Filters for hollow-candidate processes spawned outside trusted parent chains with empty or near-empty command lines, indicating CREATE_SUSPENDED process initialization. Requires QRadar DSM custom properties Image, ParentImage, and CommandLine to be extracted from raw Sysmon EventCode=1 log events. Verify LOGSOURCETYPEID values match your QRadar deployment configuration.
Data Sources
Required Tables
False Positives & Tuning
- SCCM or Intune managed deployment workflows spawning cmd.exe or certutil.exe with no initial arguments during software distribution health checks before dynamic argument injection via WMI
- Remote desktop or session-host infrastructure spawning explorer.exe or cmd.exe with no command line during user session initialization, originating from non-standard parent processes like the RDP stack
- Custom in-house tooling or IT automation agents designed to launch helper processes with empty command lines before programmatically passing work via stdin, named pipes, or shared memory IPC
Other platforms for T1055.012
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Process Hollowing Detection - Anomalous svchost.exe Parent
Expected signal: Sysmon Event ID 1: svchost.exe with ParentImage=powershell.exe and empty/minimal CommandLine. This is a CRITICAL indicator — svchost.exe should only be spawned by services.exe with -k arguments.
- Test 2MSBuild.exe Hollowing Target Simulation
Expected signal: Sysmon Event ID 1: MSBuild.exe spawned by PowerShell with empty CommandLine. MSBuild.exe normally requires a project file as argument — empty execution is anomalous.
- Test 3Hollowed notepad.exe with Network Connection Check
Expected signal: Sysmon Event ID 1: notepad.exe spawned by cmd.exe. Sysmon Event ID 3: If notepad.exe makes network connections (it shouldn't normally). Security Event ID 4688 with command line auditing.
References (6)
- https://attack.mitre.org/techniques/T1055/012/
- https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
- https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md
- https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
Unlock Pro Content
Get the full detection package for T1055.012 including response playbook, investigation guide, and atomic red team tests.