Process Hollowing

Information

• Name: Process Hollowing

• ID: T1055.012

• Tactics: TA0005, TA0004

• Technique: T1055

Introduction

Process Hollowing (T1055.012) is a sub-technique within the MITRE ATT&CK framework categorized under Process Injection (T1055). It involves an attacker creating a legitimate process in a suspended state and then replacing its code with malicious payloads. This technique allows attackers to execute malicious code under the guise of a legitimate process, thus evading detection by security tools and defenders. Due to its stealthy nature, Process Hollowing is frequently utilized in advanced persistent threats (APTs) and sophisticated malware campaigns.

Deep Dive Into Technique

Process Hollowing involves several distinct technical steps:

1. Creating a Legitimate Process in Suspended State:

   • The attacker initiates a legitimate process (such as svchost.exe, explorer.exe, or notepad.exe) in a suspended state using Windows API functions like CreateProcess with the CREATE_SUSPENDED flag.

   • This suspended state ensures that the process is loaded into memory but not yet executed.

2. Unmapping or Hollowing Original Code:

   • The attacker uses Windows API calls, such as NtUnmapViewOfSection, to remove or hollow out the legitimate code from the process memory space.

   • This action leaves an empty "shell" of a legitimate process in memory.

3. Injecting Malicious Payload:

   • The attacker allocates memory within the hollowed process using functions such as VirtualAllocEx.

   • Malicious code or payload is written into this newly allocated memory space using APIs like WriteProcessMemory.

4. Adjusting Execution Context:

   • The attacker modifies the thread context (e.g., via SetThreadContext) to point the instruction pointer (EIP or RIP) to the malicious payload.

   • This ensures that when the suspended process resumes, it immediately executes attacker-controlled code.

5. Resuming the Hollowed Process:

   • The attacker resumes the suspended process using ResumeThread, causing malicious code execution under the guise of a trusted, legitimate process.

Attackers commonly use Process Hollowing to evade detection by antivirus (AV) solutions and endpoint detection and response (EDR) systems, as the malicious code runs within a legitimate process context, often bypassing security controls.

When this Technique is Usually Used

Process Hollowing is typically employed in scenarios such as:

• Initial Access and Execution:

  • During initial compromise, attackers may use Process Hollowing to execute payloads stealthily, avoiding detection by traditional AV and endpoint protection tools.

• Privilege Escalation and Persistence:

  • Attackers may leverage this technique to execute payloads under processes with elevated privileges, maintaining persistence and stealth.

• Defense Evasion:

  • Process Hollowing is highly effective in evading detection mechanisms by masquerading malicious behavior within legitimate processes.

• Credential Theft and Lateral Movement:

  • Attackers may inject credential harvesting tools or lateral movement payloads into legitimate processes to blend in with normal system activities.

• Data Exfiltration and Command and Control:

  • Malicious payloads injected via Process Hollowing often include communication modules for exfiltrating data or communicating with attacker-controlled servers.

How this Technique is Usually Detected

Effective detection of Process Hollowing involves multiple approaches:

• Behavioral Analysis:

  • Monitoring processes created in a suspended state and resumed later with unusual memory modifications.

  • Detecting unexpected API calls such as NtUnmapViewOfSection, WriteProcessMemory, VirtualAllocEx, and SetThreadContext.

• Endpoint Detection and Response (EDR) Tools:

  • Advanced EDR solutions detect suspicious memory operations and unusual thread context manipulations indicative of Process Hollowing.

  • Tools such as CrowdStrike Falcon, Carbon Black, Microsoft Defender for Endpoint, and SentinelOne provide behavioral detection capabilities.

• Memory Scanning and Analysis:

  • Regular memory scans for anomalies or discrepancies between the executable on disk and the image running in memory.

  • Tools like Volatility Framework can analyze memory dumps to identify hollowed processes.

• Event Log and Sysmon Monitoring:

  • Monitoring Windows event logs and Sysmon events for suspicious process creations and injections.

  • Sysmon Event IDs such as 1 (Process Creation), 8 (CreateRemoteThread), and 10 (ProcessAccess) can highlight potential Process Hollowing activities.

• Indicators of Compromise (IoCs):

  • Unexpected parent-child process relationships (e.g., a browser spawning system processes).

  • Processes running from unusual directories or with mismatched hashes compared to known legitimate binaries.

  • Suspicious network connections initiated by known legitimate processes.

Why it is Important to Detect This Technique

Early detection of Process Hollowing is critical due to the following impacts:

• Security Evasion:

  • Process Hollowing allows attackers to masquerade malicious payloads within legitimate processes, significantly complicating detection and response efforts.

• Privilege Escalation and Persistence:

  • Attackers frequently leverage this technique to escalate privileges and establish persistent footholds within compromised systems.

• Data Theft and Exfiltration:

  • Attackers often use Process Hollowing to deploy payloads capable of exfiltrating sensitive data, leading to intellectual property theft, financial loss, or compliance violations.

• System Stability and Integrity:

  • Malicious payloads injected through Process Hollowing may compromise system stability, degrade performance, and undermine overall system integrity.

• Regulatory and Compliance Implications:

  • Failure to detect and respond to Process Hollowing attacks may result in compliance violations, regulatory fines, and reputational damage.

Timely detection and response can significantly reduce the potential damage, limit attacker dwell time, and minimize the impact of incidents.

Examples

Real-world examples of Process Hollowing include:

• TrickBot Malware:

  • TrickBot often uses Process Hollowing to inject malicious payloads into legitimate Windows processes like svchost.exe, allowing it to evade detection and execute credential harvesting and banking fraud operations.

• Dridex Banking Trojan:

  • Dridex has employed Process Hollowing to inject malicious payloads into explorer.exe or other legitimate processes, enabling stealthy credential theft and financial fraud activities.

• Cobalt Strike Framework:

  • Attackers leveraging Cobalt Strike frequently utilize Process Hollowing techniques to inject beacon payloads into legitimate processes such as rundll32.exe or svchost.exe, facilitating stealthy command-and-control communication and lateral movement.

• Smoke Loader Malware:

  • Smoke Loader utilizes Process Hollowing to inject payloads into legitimate Windows processes, enabling attackers to download secondary payloads, steal credentials, and establish persistent backdoors.

• Gootkit Malware:

  • Gootkit banking trojan has been observed using Process Hollowing techniques to evade detection and execute malicious payloads within trusted processes, facilitating credential theft and financial fraud.

These examples highlight the widespread adoption of Process Hollowing among sophisticated threat actors and demonstrate the importance of robust detection and mitigation strategies.