DET0382 Detection Strategy for Process Hollowing on Windows

Item	Value
ID	DET0382
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1055.012 (Process Hollowing)

Analytics

Windows

AN1076

Detects adversary use of suspended process creation, using the CREATE_SUSPENDED flag via CreateProcess, followed by unmapping the memory of the child process (NtUnmapViewOfSection) and replacing it with malicious code via VirtualAllocEx/WriteProcessMemory, then SetThreadContext and ResumeThread to begin execution within the hollowed process.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Process Access (DC0035)	WinEventLog:Sysmon	EventCode=10
Process Modification (DC0020)	WinEventLog:Sysmon	EventCode=8
OS API Execution (DC0021)	etw:Microsoft-Windows-Kernel-Process	NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext, ResumeThread

Mutable Elements

Field	Description
HollowedImageNamePattern	Regex to match common decoy executables used for hollowing (e.g., ‘svchost.exe’, ‘notepad.exe’)
TimeWindow_ProcessCreateToResume	Temporal threshold for unmap/write/execute sequence (e.g., within 5–10 seconds)
SuspendedProcessStartFlag	CreateProcess flag used to identify suspended thread creation
MemoryWriteSizeThreshold	Minimum byte size to flag suspicious memory overwrite in hollowed process