T1055.012 Splunk · SPL

Detect Process Hollowing in Splunk

Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess (which includes a flag to suspend the processes primary thread). At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively. This is a widely-used technique employed by Cobalt Strike, Emotet, QakBot, and many other threat actors.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.012 Process Hollowing
Canonical reference
https://attack.mitre.org/techniques/T1055/012/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\svchost.exe" OR Image="*\\explorer.exe" OR Image="*\\rundll32.exe" OR Image="*\\notepad.exe" OR Image="*\\cmd.exe" OR Image="*\\MSBuild.exe" OR Image="*\\RegAsm.exe" OR Image="*\\InstallUtil.exe" OR Image="*\\vbc.exe" OR Image="*\\certutil.exe" OR Image="*\\iexplore.exe" OR Image="*\\werfault.exe" OR Image="*\\dllhost.exe")
  NOT (ParentImage="*\\services.exe" OR ParentImage="*\\svchost.exe" OR ParentImage="*\\explorer.exe" OR ParentImage="*\\winlogon.exe" OR ParentImage="System" OR ParentImage="*\\smss.exe" OR ParentImage="*\\csrss.exe")
| eval CmdLen=len(CommandLine)
| eval ImageName=mvindex(split(Image, "\\"), -1)
| eval HollowIndicator=case(
    ImageName="svchost.exe" AND NOT ParentImage="*\\services.exe", "CRITICAL - svchost hollowing",
    match(ImageName, "(MSBuild|RegAsm|InstallUtil)\.exe") AND CmdLen < 10, "CRITICAL - .NET LOLBin hollowing",
    CmdLen < 5 OR isnull(CommandLine), "HIGH - Empty command line",
    1=1, "MEDIUM - Unusual parent-child"
)
| table _time, host, User, ParentImage, ParentCommandLine, Image, CommandLine, CmdLen, HollowIndicator
| sort - _time
critical severity high confidence

Detects Process Hollowing via Sysmon Event ID 1 (Process Create) by identifying hollowing target processes with empty/short command lines spawned by unusual parents. Process hollowing uses CREATE_SUSPENDED which often results in empty command lines. Categorizes severity based on target process and command line characteristics. Critical alerts for svchost.exe not spawned by services.exe and .NET LOLBins (MSBuild, RegAsm, InstallUtil) with no arguments.

Data Sources

Process: Process CreationSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • COM activation creating dllhost.exe with minimal arguments
  • Windows Error Reporting creating WerFault.exe
  • Application installers using helper processes
  • Debugging tools creating suspended processes
Download portable Sigma rule (.yml)

Other platforms for T1055.012

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Process Hollowing Detection - Anomalous svchost.exe Parent

    Expected signal: Sysmon Event ID 1: svchost.exe with ParentImage=powershell.exe and empty/minimal CommandLine. This is a CRITICAL indicator — svchost.exe should only be spawned by services.exe with -k arguments.

  2. Test 2MSBuild.exe Hollowing Target Simulation

    Expected signal: Sysmon Event ID 1: MSBuild.exe spawned by PowerShell with empty CommandLine. MSBuild.exe normally requires a project file as argument — empty execution is anomalous.

  3. Test 3Hollowed notepad.exe with Network Connection Check

    Expected signal: Sysmon Event ID 1: notepad.exe spawned by cmd.exe. Sysmon Event ID 3: If notepad.exe makes network connections (it shouldn't normally). Security Event ID 4688 with command line auditing.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1055.012 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.013Process DoppelgangingT1055.014VDSO HijackingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.013Process DoppelgangingT1036.005Match Legitimate Resource Name or LocationT1218.004InstallUtilT1127.001MSBuild

Same Tactic: Defense Evasion

Popular Detections