Detect Process Hollowing in Sumo Logic CSE
Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess (which includes a flag to suspend the processes primary thread). At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively. This is a widely-used technique employed by Cobalt Strike, Emotet, QakBot, and many other threat actors.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.012 Process Hollowing
- Canonical reference
- https://attack.mitre.org/techniques/T1055/012/
Sumo Detection Query
_index=sec_record* objectType="process" action="create"
| where baseImage in ("svchost.exe", "explorer.exe", "rundll32.exe", "notepad.exe", "cmd.exe",
"mspaint.exe", "calc.exe", "dllhost.exe", "werfault.exe", "iexplore.exe",
"MSBuild.exe", "RegAsm.exe", "InstallUtil.exe", "vbc.exe", "certutil.exe")
| where parentBaseImage not in ("services.exe", "svchost.exe", "explorer.exe",
"winlogon.exe", "smss.exe", "csrss.exe", "wininit.exe")
| where length(commandLine) < 5 or isNull(commandLine) or commandLine = ""
or (baseImage = "svchost.exe" and !(commandLine contains "-k"))
| eval hollowingIndicator = if(baseImage = "svchost.exe" and parentBaseImage != "services.exe",
"CRITICAL - svchost hollowing",
if(baseImage in ("MSBuild.exe", "RegAsm.exe", "InstallUtil.exe")
and (length(commandLine) < 10 or isNull(commandLine)),
"CRITICAL - .NET LOLBin hollow",
if(length(commandLine) < 5 or isNull(commandLine),
"HIGH - Empty command line",
"MEDIUM - Unusual parent-child relationship")))
| fields _messageTime, srcDevice_hostname, user_username, parentBaseImage,
parentCommandLine, baseImage, commandLine, hollowingIndicator
| sort by _messageTime descSumo Logic Cloud SIEM (CSE) detection for process hollowing using normalized process creation records from the sec_record index. Matches hollow-candidate Windows processes created outside authoritative parent chains with empty or minimal command lines consistent with CREATE_SUSPENDED hollowing. Relies on CSE normalization from Sysmon, CrowdStrike Falcon, or Carbon Black sources mapping to the objectType=process schema with baseImage, parentBaseImage, and commandLine normalized fields.
Data Sources
Required Tables
False Positives & Tuning
- Ansible, Chef, or Puppet configuration management agents spawning cmd.exe or PowerShell via non-standard parent wrappers with no command line arguments during node provisioning or configuration drift correction
- Software license validation modules that launch certutil.exe or InstallUtil.exe with no arguments as a first-pass system check before constructing and passing the actual command line at runtime
- Helpdesk or remote-support software (TeamViewer, AnyDesk, ConnectWise) spawning explorer.exe or cmd.exe as part of screen-sharing or file-transfer session establishment from their own agent parent process
Other platforms for T1055.012
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Process Hollowing Detection - Anomalous svchost.exe Parent
Expected signal: Sysmon Event ID 1: svchost.exe with ParentImage=powershell.exe and empty/minimal CommandLine. This is a CRITICAL indicator — svchost.exe should only be spawned by services.exe with -k arguments.
- Test 2MSBuild.exe Hollowing Target Simulation
Expected signal: Sysmon Event ID 1: MSBuild.exe spawned by PowerShell with empty CommandLine. MSBuild.exe normally requires a project file as argument — empty execution is anomalous.
- Test 3Hollowed notepad.exe with Network Connection Check
Expected signal: Sysmon Event ID 1: notepad.exe spawned by cmd.exe. Sysmon Event ID 3: If notepad.exe makes network connections (it shouldn't normally). Security Event ID 4688 with command line auditing.
References (6)
- https://attack.mitre.org/techniques/T1055/012/
- https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf
- https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md
- https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode
Unlock Pro Content
Get the full detection package for T1055.012 including response playbook, investigation guide, and atomic red team tests.