Anthropic-Cybersecurity-Skills/skills/detecting-process-hollowing-technique/references/workflows.md

# Detailed Hunting Workflow - Process Hollowing Detection

## Phase 1: Sysmon-Based Detection

### Step 1.1 - Process Tampering Events (Sysmon v13+)
```spl
index=sysmon EventCode=25
| table _time Computer User Image Type
| sort -_time
```

### Step 1.2 - Suspicious Process Creation Patterns
```spl
index=sysmon EventCode=1
| where match(Image, "(?i)(svchost|explorer|rundll32|dllhost|conhost|taskhost)\.exe$")
| where NOT match(ParentImage, "(?i)(services\.exe|explorer\.exe|svchost\.exe|userinit\.exe|winlogon\.exe)")
| table _time Computer User Image ParentImage CommandLine
```

### Step 1.3 - KQL for MDE ProcessTampering
```kql
DeviceEvents
| where ActionType == "ProcessTampering"
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine, AdditionalFields
| order by Timestamp desc
```

## Phase 2: Parent-Child Process Validation

### Step 2.1 - Invalid Parent-Child Relationships
Known legitimate parent-child pairs:
- services.exe -> svchost.exe
- explorer.exe -> user applications
- winlogon.exe -> userinit.exe
- svchost.exe -> specific service children

```spl
index=sysmon EventCode=1
| eval expected_parent=case(
    match(Image,"(?i)svchost\.exe$"), "services.exe",
    match(Image,"(?i)taskhost\.exe$"), "svchost.exe",
    match(Image,"(?i)userinit\.exe$"), "winlogon.exe",
    match(Image,"(?i)smss\.exe$"), "System",
    1=1, "any"
)
| eval parent_name=mvindex(split(ParentImage,"\\"),-1)
| where expected_parent!="any" AND NOT match(parent_name, expected_parent)
| table _time Computer Image ParentImage expected_parent parent_name CommandLine
```

## Phase 3: Memory Analysis

### Step 3.1 - pe-sieve Scanning
```powershell
# Scan all processes for hollowing
Get-Process | ForEach-Object {
    $pid = $_.Id
    & pe-sieve64.exe /pid $pid /shellc /dmode 1 /json
}
```

### Step 3.2 - Hollows Hunter Full Scan
```powershell
# Run Hollows Hunter for automated detection
hollows_hunter64.exe /loop /json /dir C:\hunt_output
```

### Step 3.3 - Volatility Malfind
```bash
# Detect injected/modified process memory
python vol.py -f memory.raw windows.malfind

# Dump suspicious processes
python vol.py -f memory.raw windows.pslist --dump
```

## Phase 4: Behavioral Analysis

### Step 4.1 - Process Behavior Mismatches
Look for processes whose network/file behavior contradicts their identity:
```spl
index=sysmon EventCode=3
| where match(Image, "(?i)(svchost|dllhost|taskhost|conhost)\.exe$")
| where NOT match(DestinationIp, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)")
| where DestinationPort NOT IN (53, 80, 443, 123)
| stats count by Image DestinationIp DestinationPort Computer
```

### Step 4.2 - Hollowed Process C2 Indicators
```spl
index=sysmon EventCode=3
| where match(Image, "(?i)(svchost|explorer|rundll32)\.exe$")
| bin _time span=1s
| streamstats current=f last(_time) as prev by Image Computer DestinationIp
| eval interval=_time-prev
| stats count avg(interval) as avg_interval stdev(interval) as sd by Image Computer DestinationIp
| eval cv=sd/avg_interval
| where cv < 0.3 AND count > 20
```

## Phase 5: API Call Monitoring

### Step 5.1 - Critical API Sequences
Monitor for this specific API call chain:
1. `CreateProcessW` / `CreateProcessA` with `CREATE_SUSPENDED` (0x00000004)
2. `NtUnmapViewOfSection` / `ZwUnmapViewOfSection`
3. `VirtualAllocEx` with `PAGE_EXECUTE_READWRITE`
4. `WriteProcessMemory`
5. `SetThreadContext` / `NtSetContextThread`
6. `ResumeThread` / `NtResumeThread`

### Step 5.2 - ETW Process Hollowing Detection
```powershell
# Monitor for suspicious API patterns via ETW
# Requires elevated privileges
$session = New-EtwTraceSession -Name "ProcessHollowHunt"
Add-EtwTraceProvider -SessionName "ProcessHollowHunt" `
    -Guid "{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}" `
    -Level 5
```