HackTool - HollowReaper Execution

Oct 23, 2025 · attack.privilege-escalation attack.defense-evasion attack.t1055.012 ·

Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing. It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.

Sigma rule (View on GitHub)

 1title: HackTool - HollowReaper Execution
 2id: 85d23b42-9a9d-4f8f-b3d7-d2733c1d58f5
 3status: experimental
 4description: |
 5    Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing.
 6    It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.    
 7references:
 8    - https://github.com/vari-sh/RedTeamGrimoire/tree/b5e7635d34db6e1f0398d8847e8f293186e947c5/HollowReaper
 9author: Swachchhanda Shrawan Poudel (Nextron Systems)
10date: 2025-07-01
11tags:
12    - attack.privilege-escalation
13    - attack.defense-evasion
14    - attack.t1055.012
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        Image|endswith: '\HollowReaper.exe'
21    condition: selection
22falsepositives:
23    - Unknown
24level: high

References

RedTeamGrimoire/HollowReaper at b5e7635d34db6e1f0398d8847e8f293186e947c5 · vari-sh/RedTeamGrimoire

🔥📜 Forbidden collection of Red Team sorcery 📜🔥. Contribute to vari-sh/RedTeamGrimoire development by creating an account on GitHub.

Read More

HackTool - HollowReaper Execution

Sigma rule (View on GitHub)

References

RedTeamGrimoire/HollowReaper at b5e7635d34db6e1f0398d8847e8f293186e947c5 · vari-sh/RedTeamGrimoire

Related rules