Detects adversary use of suspended process creation, using the CREATE_SUSPENDED flag via CreateProcess, followed by unmapping the memory of the child process (NtUnmapViewOfSection) and replacing it with malicious code via VirtualAllocEx/WriteProcessMemory, then SetThreadContext and ResumeThread to begin execution within the hollowed process.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Process Modification (DC0020) | WinEventLog:Sysmon | EventCode=8 |
| OS API Execution (DC0021) | etw:Microsoft-Windows-Kernel-Process | NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext, ResumeThread |
| Field | Description |
|---|---|
| HollowedImageNamePattern | Regex to match common decoy executables used for hollowing (e.g., 'svchost.exe', 'notepad.exe') |
| TimeWindow_ProcessCreateToResume | Temporal threshold for unmap/write/execute sequence (e.g., within 5–10 seconds) |
| SuspendedProcessStartFlag | CreateProcess flag used to identify suspended thread creation |
| MemoryWriteSizeThreshold | Minimum byte size to flag suspicious memory overwrite in hollowed process |