Potential Process Hollowing Activity

 1title: Potential Process Hollowing Activity
 2id: c4b890e5-8d8c-4496-8c66-c805753817cd
 3status: test
 4description: Detects when a memory process image does not match the disk image, indicative of process hollowing.
 5references:
 6    - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20
 7    - https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/
 8author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S
 9date: 2022-01-25
10modified: 2023-11-28
11tags:
12    - attack.defense-evasion
13    - attack.privilege-escalation
14    - attack.t1055.012
15logsource:
16    product: windows
17    category: process_tampering
18detection:
19    selection:
20        Type: 'Image is replaced'
21    filter_main_generic:
22        Image|contains:
23            - ':\Program Files (x86)'
24            - ':\Program Files\'
25            - ':\Windows\System32\wbem\WMIADAP.exe'
26            - ':\Windows\SysWOW64\wbem\WMIADAP.exe'
27    filter_optional_opera:
28        Image|contains: '\AppData\Local\Programs\Opera\'
29        Image|endswith: '\opera.exe'
30    filter_optional_edge:
31        Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
32    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
33falsepositives:
34    - Unknown
35level: medium

References

• x.com

  
  Read More

• Microsoft Sysmon now detects malware process tampering attempts

  

  Microsoft has released Sysmon 13 with a new security feature that detects if a process has been tampered using process hollowing or process herpaderping techniques.

  
  Read More

Related rules

• Elevated System Shell Spawned From Uncommon Parent Location
• HackTool - WinPwn Execution
• HackTool - WinPwn Execution - ScriptBlock
• Potential PrintNightmare Exploitation Attempt
• Windows Spooler Service Suspicious Binary Load