Anthropic-Cybersecurity-Skills/skills/detecting-process-hollowing-technique/references/workflows.md

Detailed Hunting Workflow - Process Hollowing Detection

Phase 1: Sysmon-Based Detection

Step 1.1 - Process Tampering Events (Sysmon v13+)

index=sysmon EventCode=25
| table _time Computer User Image Type
| sort -_time

Step 1.2 - Suspicious Process Creation Patterns

index=sysmon EventCode=1
| where match(Image, "(?i)(svchost|explorer|rundll32|dllhost|conhost|taskhost)\.exe$")
| where NOT match(ParentImage, "(?i)(services\.exe|explorer\.exe|svchost\.exe|userinit\.exe|winlogon\.exe)")
| table _time Computer User Image ParentImage CommandLine

Step 1.3 - KQL for MDE ProcessTampering

DeviceEvents
| where ActionType == "ProcessTampering"
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine, AdditionalFields
| order by Timestamp desc

Phase 2: Parent-Child Process Validation

Step 2.1 - Invalid Parent-Child Relationships

Known legitimate parent-child pairs:

• services.exe -> svchost.exe
• explorer.exe -> user applications
• winlogon.exe -> userinit.exe
• svchost.exe -> specific service children

index=sysmon EventCode=1
| eval expected_parent=case(
    match(Image,"(?i)svchost\.exe$"), "services.exe",
    match(Image,"(?i)taskhost\.exe$"), "svchost.exe",
    match(Image,"(?i)userinit\.exe$"), "winlogon.exe",
    match(Image,"(?i)smss\.exe$"), "System",
    1=1, "any"
)
| eval parent_name=mvindex(split(ParentImage,"\\"),-1)
| where expected_parent!="any" AND NOT match(parent_name, expected_parent)
| table _time Computer Image ParentImage expected_parent parent_name CommandLine

Phase 3: Memory Analysis

Step 3.1 - pe-sieve Scanning

# Scan all processes for hollowing
Get-Process | ForEach-Object {
    $pid = $_.Id
    & pe-sieve64.exe /pid $pid /shellc /dmode 1 /json
}

Step 3.2 - Hollows Hunter Full Scan

# Run Hollows Hunter for automated detection
hollows_hunter64.exe /loop /json /dir C:\hunt_output

Step 3.3 - Volatility Malfind

# Detect injected/modified process memory
python vol.py -f memory.raw windows.malfind

# Dump suspicious processes
python vol.py -f memory.raw windows.pslist --dump

Phase 4: Behavioral Analysis

Step 4.1 - Process Behavior Mismatches

Look for processes whose network/file behavior contradicts their identity:

index=sysmon EventCode=3
| where match(Image, "(?i)(svchost|dllhost|taskhost|conhost)\.exe$")
| where NOT match(DestinationIp, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)")
| where DestinationPort NOT IN (53, 80, 443, 123)
| stats count by Image DestinationIp DestinationPort Computer

Step 4.2 - Hollowed Process C2 Indicators

index=sysmon EventCode=3
| where match(Image, "(?i)(svchost|explorer|rundll32)\.exe$")
| bin _time span=1s
| streamstats current=f last(_time) as prev by Image Computer DestinationIp
| eval interval=_time-prev
| stats count avg(interval) as avg_interval stdev(interval) as sd by Image Computer DestinationIp
| eval cv=sd/avg_interval
| where cv < 0.3 AND count > 20

Phase 5: API Call Monitoring

Step 5.1 - Critical API Sequences

Monitor for this specific API call chain:

1. CreateProcessW / CreateProcessA with CREATE_SUSPENDED (0x00000004)
2. NtUnmapViewOfSection / ZwUnmapViewOfSection
3. VirtualAllocEx with PAGE_EXECUTE_READWRITE
4. WriteProcessMemory
5. SetThreadContext / NtSetContextThread
6. ResumeThread / NtResumeThread

Step 5.2 - ETW Process Hollowing Detection

# Monitor for suspicious API patterns via ETW
# Requires elevated privileges
$session = New-EtwTraceSession -Name "ProcessHollowHunt"
Add-EtwTraceProvider -SessionName "ProcessHollowHunt" `
    -Guid "{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}" `
    -Level 5