mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-19 14:09:40 +03:00
cb8d79e068
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct techniques), verified against MITRE ATT&CK v19.1 via the official mitreattack-python library: 0 revoked, deprecated, or invalid IDs - Curate precise per-skill technique IDs for forensics, malware-analysis, threat-intel, and red-team skills (e.g. DCSync -> T1003.006, Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003) - Reconcile v19.1 tactic restructuring: Defense Evasion split into Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.* family and T1070.001/.002 remapped to active equivalents (T1685.*) - Normalize word-split tags across 35 skills (remove filename-derived stopword tags, add semantic cybersecurity tags) - Add api-reference.md for 3 skills that were missing it - Update README ATT&CK section with accurate v19.1 tactic distribution
116 lines
4.6 KiB
Markdown
116 lines
4.6 KiB
Markdown
---
|
|
name: detecting-process-hollowing-technique
|
|
description: Detect process hollowing (T1055.012) by analyzing memory-mapped sections,
|
|
hollowed process indicators, and parent-child process anomalies in EDR telemetry.
|
|
domain: cybersecurity
|
|
subdomain: threat-hunting
|
|
tags:
|
|
- threat-hunting
|
|
- mitre-attack
|
|
- process-hollowing
|
|
- process-injection
|
|
- edr
|
|
- t1055
|
|
- proactive-detection
|
|
version: '1.0'
|
|
author: mahipal
|
|
license: Apache-2.0
|
|
d3fend_techniques:
|
|
- Platform Monitoring
|
|
- Process Code Segment Verification
|
|
- Segment Address Offset Randomization
|
|
- Process Analysis
|
|
- Application Hardening
|
|
nist_csf:
|
|
- DE.CM-01
|
|
- DE.AE-02
|
|
- DE.AE-07
|
|
- ID.RA-05
|
|
mitre_attack:
|
|
- T1046
|
|
- T1057
|
|
- T1082
|
|
- T1083
|
|
- T1055
|
|
---
|
|
|
|
# Detecting Process Hollowing Technique
|
|
|
|
## When to Use
|
|
|
|
- When investigating suspected fileless malware or in-memory threats
|
|
- After EDR alerts on process injection or suspicious memory operations
|
|
- When hunting for defense evasion techniques in a compromised environment
|
|
- When threat intel reports indicate process hollowing in active campaigns
|
|
- During purple team exercises validating T1055.012 detection coverage
|
|
|
|
## Prerequisites
|
|
|
|
- EDR with memory protection monitoring (CrowdStrike, MDE, SentinelOne)
|
|
- Sysmon with Event IDs 1 (Process Create), 8 (CreateRemoteThread), 25 (ProcessTampering)
|
|
- Windows ETW providers for process hollowing (Microsoft-Windows-Kernel-Process)
|
|
- Memory forensics capabilities (Volatility, WinDbg)
|
|
- Process integrity monitoring tools
|
|
|
|
## Workflow
|
|
|
|
1. **Understand Hollowing Mechanics**: Process hollowing involves creating a legitimate process in suspended state, unmapping its memory, writing malicious code, then resuming execution.
|
|
2. **Monitor Suspended Process Creation**: Hunt for processes created with CREATE_SUSPENDED flag followed by memory writes and thread resumption.
|
|
3. **Detect Memory Section Anomalies**: Identify processes where the in-memory image differs from the on-disk binary (image mismatch).
|
|
4. **Analyze Parent-Child Process Trees**: Flag processes whose behavior does not match their binary name (e.g., svchost.exe making unusual network connections).
|
|
5. **Check Process Integrity**: Compare process memory sections against the legitimate binary on disk.
|
|
6. **Correlate with Network Activity**: Hollowed processes often establish C2 connections - correlate suspicious process behavior with network logs.
|
|
7. **Document and Contain**: Report findings, isolate affected endpoints, and update detection rules.
|
|
|
|
## Key Concepts
|
|
|
|
| Concept | Description |
|
|
|---------|-------------|
|
|
| T1055.012 | Process Injection: Process Hollowing |
|
|
| T1055 | Process Injection (parent technique) |
|
|
| T1055.001 | DLL Injection |
|
|
| T1055.003 | Thread Execution Hijacking |
|
|
| T1055.004 | Asynchronous Procedure Call |
|
|
| CREATE_SUSPENDED | Windows flag to create a process in suspended state |
|
|
| NtUnmapViewOfSection | API to unmap process memory sections |
|
|
| WriteProcessMemory | API to write into another process's memory |
|
|
| ResumeThread | API to resume a suspended thread |
|
|
| Image Mismatch | Process memory content differs from on-disk binary |
|
|
| Process Doppelganging | Related technique using NTFS transactions (T1055.013) |
|
|
|
|
## Tools & Systems
|
|
|
|
| Tool | Purpose |
|
|
|------|---------|
|
|
| CrowdStrike Falcon | Memory protection and hollowing detection |
|
|
| Microsoft Defender for Endpoint | ProcessTampering alerts |
|
|
| Sysmon v13+ | Event ID 25 ProcessTampering detection |
|
|
| Volatility | Memory forensics - malfind plugin |
|
|
| pe-sieve | Process memory scanner for hollowed processes |
|
|
| Hollows Hunter | Automated hollowed process detection |
|
|
| Process Hacker | Live process memory inspection |
|
|
| API Monitor | Monitor NtUnmapViewOfSection calls |
|
|
|
|
## Common Scenarios
|
|
|
|
1. **Svchost.exe Hollowing**: Malware creates svchost.exe suspended, hollows it, injects backdoor code - process appears legitimate but behaves maliciously.
|
|
2. **Explorer.exe Hollowing**: Attacker hollows explorer.exe to inherit its network permissions and trusted process context.
|
|
3. **Rundll32 Hollowing**: Malicious loader creates rundll32.exe, replaces its memory with implant code for C2 beaconing.
|
|
4. **Multi-Stage Hollowing**: Loader uses process hollowing as first stage, then performs additional injection into services.
|
|
|
|
## Output Format
|
|
|
|
```
|
|
Hunt ID: TH-HOLLOW-[DATE]-[SEQ]
|
|
Technique: T1055.012
|
|
Hollowed Process: [Process name and PID]
|
|
Original Binary: [Expected on-disk path]
|
|
Parent Process: [Parent name and PID]
|
|
Memory Mismatch: [Yes/No]
|
|
Suspicious APIs: [NtUnmapViewOfSection, WriteProcessMemory, etc.]
|
|
Network Activity: [C2 connections if any]
|
|
Host: [Hostname]
|
|
User: [Account context]
|
|
Risk Level: [Critical/High/Medium/Low]
|
|
```
|