HackTool - HollowReaper Execution
Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing. It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.
Sigma rule (View on GitHub)
1title: HackTool - HollowReaper Execution
2id: 85d23b42-9a9d-4f8f-b3d7-d2733c1d58f5
3status: experimental
4description: |
5 Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing.
6 It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.
7references:
8 - https://github.com/vari-sh/RedTeamGrimoire/tree/b5e7635d34db6e1f0398d8847e8f293186e947c5/HollowReaper
9author: Swachchhanda Shrawan Poudel (Nextron Systems)
10date: 2025-07-01
11tags:
12 - attack.defense-evasion
13 - attack.t1055.012
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\HollowReaper.exe'
20 condition: selection
21falsepositives:
22 - Unknown
23level: high
References
-
🔥📜 Forbidden collection of Red Team sorcery 📜🔥. Contribute to vari-sh/RedTeamGrimoire development by creating an account on GitHub.
Read More
Related rules
- Potential Pikabot Hollowing Activity
- Potential Process Hollowing Activity
- HackTool - CACTUSTORCH Remote Thread Creation
- Program Executed Using Proxy/Local Command Via SSH.EXE
- Antivirus Filter Driver Disallowed On Dev Drive - Registry