Potential Process Hollowing Activity
Detects when a memory process image does not match the disk image, indicative of process hollowing.
Sigma rule (View on GitHub)
1title: Potential Process Hollowing Activity
2id: c4b890e5-8d8c-4496-8c66-c805753817cd
3status: experimental
4description: Detects when a memory process image does not match the disk image, indicative of process hollowing.
5references:
6 - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20
7 - https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/
8author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S
9date: 2022/01/25
10modified: 2023/11/28
11tags:
12 - attack.defense_evasion
13 - attack.privilege_escalation
14 - attack.t1055.012
15logsource:
16 product: windows
17 category: process_tampering
18detection:
19 selection:
20 Type: 'Image is replaced'
21 filter_main_generic:
22 Image|contains:
23 - ':\Program Files (x86)'
24 - ':\Program Files\'
25 - ':\Windows\System32\wbem\WMIADAP.exe'
26 - ':\Windows\SysWOW64\wbem\WMIADAP.exe'
27 filter_optional_opera:
28 Image|contains: '\AppData\Local\Programs\Opera\'
29 Image|endswith: '\opera.exe'
30 filter_optional_edge:
31 Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
32 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
33falsepositives:
34 - Unknown
35level: medium
References
-
-
Microsoft has released Sysmon 13 with a new security feature that detects if a process has been tampered using process hollowing or process herpaderping techniques.
Read More
Related rules
- Function Call From Undocumented COM Interface EditionUpgradeManager
- Malware Shellcode in Verclsid Target Process
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures
- Huawei BGP Authentication Failures