detection.wiki

ATT&CK coverage › Technique

Process Injection: Process Hollowing T1055.012

Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.

Events covered

5 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon8CreateRemoteThread
Sysmon10ProcessAccess
Sysmon25ProcessTampering (Process image change)
Security-Auditing4688A new process has been created.

Authoring guide

Patterns shared across the 5 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (8 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image4ends_with 4, match 1\excel.exe, \winword.exe, \System32\mshta.exe, \HollowReaper.exe, :\Program Files (x86)
CallTrace1match 1UNKNOWN
parent_process_name1eq 1regsvr32.exe, fltldr.exe, msxsl.exe
TargetImage1match 1\SysWOW64\
StartModule1is_null 1
Type1eq 1Image is replaced
CommandLine1is_null 1, regex_match 1, match 1, eq 1svchost.exe, -k\s\w{1,64}(\s?(-p|-s))?
ParentImage1ends_with 1\MsMpEng.exe, \MRT.exe

Top indicator values (38 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
parent_process_nameeqmspub.exe1
parent_process_nameeqmsaccess.exe1
parent_process_nameeqregsvr32.exe1
parent_process_nameeqwscript.exe1
parent_process_nameeqcmstp.exe1
parent_process_nameeqpowerpnt.exe1
CallTracematchUNKNOWN12
parent_process_nameeqcscript.exe1
parent_process_nameeqwinword.exe1
parent_process_nameeqexcel.exe1
parent_process_nameeqmshta.exe1
parent_process_nameeqwmic.exe1
parent_process_nameeqmsxsl.exe1
parent_process_nameeqfltldr.exe1
parent_process_nameeqrundll32.exe1
parent_process_nameeqeqnedt32.exe1
parent_process_nameeqoutlook.exe1
Imageends_with\winword.exe117
Imageends_with\System32\cscript.exe1
TargetImagematch\SysWOW64\1

Common exclusions (18 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
Imageeq?:\Windows\splwow64.exe1
Imagewildcard?:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe1
Imagewildcard?:\Program Files\Microsoft Office\root\Office*\ADDINS\*.exe1
parent_process_nameeqEXCEL.EXE1
process.parent.argsstarts_with?:\Program Files\1
parent_process_nameeqregsvr32.exe1
process.argsin81921
process.argsin122881
parent_process_nameeqpowerpnt.exe1
parent_process_nameeqwinword.exe1
parent_process_nameeqexcel.exe1
Imagewildcard?:\Program Files (x86)\Microsoft\EdgeWebView\Application\*\msedgewebview2.exe1
process.parent.argswildcard?:\WINDOWS\Installer\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc1
parent_process_nameeqrundll32.exe1
process.parent.argswildcard--no-sandbox1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 4 rules

Elastic 1 rule