Register to stream ATT&CKcon 2.0 October 29-30

Process Hollowing

Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Similar to Process Injection, execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis. [1] [2]

ID: T1093
Tactic: Defense Evasion
Platform: Windows
Permissions Required: User
Data Sources: Process monitoring, API monitoring
Defense Bypassed: Process whitelisting, Whitelisting by file name or path, Signature-based detection, Anti-virus
Version: 1.0

Procedure Examples

Name Description
Astaroth Astaroth searches for unins000.exe (GAS Tecnologia software), Syswow64\userinit.exe or System32\userinit.exe to evasively create a new process in suspended state. [15]
Azorult Azorult can decrypt the payload into memory, create a new suspended process of itself, then inject a decrypted payload to the new process and resume new process execution. [10]
BADNEWS BADNEWS has a command to download an .exe and use process hollowing to inject it into a new process. [11] [12]
Bandook Bandook has been launched by starting iexplore.exe and replacing it with Bandook's payload. [13] [14]
BBSRAT BBSRAT has been seen loaded into msiexec.exe through process hollowing to hide its execution. [7]
Cobalt Strike Cobalt Strike can use process hollowing for execution. [3]
Duqu Duqu is capable of loading executable code via process hollowing. [6]
Gorgon Group Gorgon Group malware can use process hollowing to inject one of its trojans into another process. [19]
ISMInjector ISMInjector hollows out a newly created process RegASM.exe and injects its payload into the hollowed process. [8]
menuPass menuPass has used process hollowing in iexplore.exe to load the RedLeaves implant. [18]
Orz Some Orz versions have an embedded DLL known as MockDll that uses process hollowing and Regsvr32 to execute another payload. [9]
Patchwork A Patchwork payload uses process hollowing to hide the UAC bypass vulnerability exploitation inside svchost.exe. [17]
Smoke Loader Smoke Loader spawns a new copy of c:\windows\syswow64\explorer.exe and then replaces the executable code in memory with malware. [4] [5]
Ursnif Ursnif has used process hollowing to inject into child processes. [16]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Monitoring API calls may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. API calls that unmap process memory, such as ZwUnmapViewOfSection or NtUnmapViewOfSection, and those that can be used to modify memory within another process, such as WriteProcessMemory, may be used for this technique. [2]

Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.

References