PROCESS HOLLOWING

Process Hollowing: Inside the Evasion Technique Used by Malware and Red Teams

M.T

3 min read
Process Hollowing: Inside the Evasion Technique Used by Malware and Red Teams

Introduction

Process hollowing is a sophisticated code injection technique often used by malware, advanced persistent threats (APTs), and red teamers to evade detection, bypass endpoint defenses, and execute malicious payloads under the disguise of legitimate processes.

Unlike traditional code injection, process hollowing replaces the memory of a benign process with malicious code, allowing attackers to hide in plain sight.

This article explores the concept of process hollowing, how it works, how attackers use it, how defenders can detect it, and which tools are commonly used to perform it.

What Is Process Hollowing?

Process hollowing is a post-exploitation technique where an attacker starts a legitimate process in a suspended state, unmaps its memory, and replaces it with malicious shellcode or an executable payload. The process is then resumed, executing the attacker’s code — but under the name and appearance of a trusted binary (e.g., svchost.exe, explorer.exe).

This method is commonly used in fileless malware, ransomware deployment, and malware loaders because it helps bypass security solutions that rely on process names or parent-child relationships.

Technical Steps in Process Hollowing

  1. Create a Suspended Process

The attacker starts a legitimate Windows process (e.g., notepad.exe) in a suspended state using the CreateProcess API with CREATE_SUSPENDED flag.

  1. Unmap the Original Executable

Using NtUnmapViewOfSection, the memory region of the original executable is removed from the process.

  1. Allocate Memory for the Malicious Payload

Attacker allocates memory in the target process using VirtualAllocEx.

  1. Write Malicious Code into the Process

Using WriteProcessMemory, the attacker injects a malicious PE payload into the allocated space.

  1. Set New Entry Point

The attacker modifies the thread context to point to the new payload using SetThreadContext.

  1. Resume Execution

Finally, the suspended thread is resumed using ResumeThread, and the malicious code is executed under the identity of the legitimate process.

Example Tools and Frameworks

  • Cobalt Strike: Commonly used in red teaming to perform process injection.
  • Donut: Generates shellcode from PE/.NET binaries for injection.
  • Metasploit: Provides post-exploitation modules that can be adapted for hollowing.
  • DIY C/C++ Payloads: Custom POC scripts using Win32 APIs.
  • PEzor / SharpHound / SharpSploit: Used in offensive security labs to demonstrate hollowing and related techniques.

Real-World Usage of Process Hollowing

  • Emotet and TrickBot: Used process hollowing to evade detection while installing second-stage malware.
  • Ryuk Ransomware: Known for using this technique during lateral movement and ransomware deployment.
  • FIN7 / APT32: Used process hollowing to disguise C2 implants within trusted system processes.

How to Detect Process Hollowing

1. Suspicious API Sequences

Monitoring use of:

  • CreateProcess with CREATE_SUSPENDED
  • NtUnmapViewOfSection
  • WriteProcessMemory
  • SetThreadContext
  • ResumeThread

These API chains are commonly used in process hollowing attacks.

2. Memory Anomalies

  • The image in memory does not match the executable on disk.
  • The process has no command-line arguments but is running.
  • Sections with RWX permissions or injected shellcode.

3. Behavior Analytics

Use EDR or behavior-based monitoring tools to detect:

  • Legitimate processes performing unusual network activity.
  • High entropy regions in memory.
  • Memory mapped executables with unsigned or anomalous behavior.

4. Sysmon Logs

Use Sysmon Event IDs:

  • 1: Process creation
  • 10: Process access
  • 11: File creation
  • 7: Image loaded — can be used to detect mismatches

Combine with Yara rules for runtime memory scanning.

How to Prevent and Mitigate Process Hollowing

  • Enable Credential Guard and Secure Boot on Windows systems.
  • Implement Endpoint Detection and Response (EDR) solutions with memory scanning.
  • Block unsigned or untrusted executables via AppLocker or WDAC.
  • Minimize local admin privileges and apply least privilege principle.
  • Apply behavior-based detection rules and continuously monitor memory anomalies.
  • Keep systems and AV updated to recognize new techniques and tool signatures.

Conclusion

Process hollowing is a stealthy and effective method for executing malware under the cover of legitimate processes. It remains one of the most popular evasion techniques used by modern threat actors, ransomware operators, and red teams.

Understanding how process hollowing works — and how to detect and prevent it — is crucial for blue teams, incident responders, and SOC analysts. By combining behavioral monitoring, memory forensics, and proactive threat hunting, organizations can defend against this persistent threat.

Read more

Threat Hunting Operations: Integrating Proactive Detection into Traditional SOC Workflows

Threat Hunting Operations: Integrating Proactive Detection into Traditional SOC Workflows

In today's rapidly evolving threat landscape, Security Operations Centers (SOCs) face unprecedented challenges in detecting sophisticated threats that routinely bypass traditional security controls. While alert-driven processes remain essential, organizations increasingly recognize that reactive approaches alone are insufficient against advanced persistent threats (APTs), insider threats, and fileless malware. Threat