What starting position does this attack require?

The first step is Foothold shell (T1078) — a initial access primitive. Assumed environment: foothold as a user or service account on Windows.

What is the final impact of this kill-chain?

The final step lands on SetThreadContext + ResumeThread (INJ-THREAD-HIJACK), which falls under Defense Evasion. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

Process hollowing → run beacon in svchost shell

Spawn svchost.exe suspended, unmap its image, write attacker PE into the same address space, resume — the process keeps a legit-looking PEB and command line but executes beacon code.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Foothold shell

T1078 · Valid Accounts

Command and Control

Beacon under svchost.exe identity

T1071 · Application Layer Protocol

Defense Evasion

WriteProcessMemory attacker PE

INJ-PROCESS-HOLLOWING · Process Hollowing (T1055.012)

Defense Evasion

NtUnmapViewOfSection on the loaded image

INJ-PROCESS-HOLLOWING · Process Hollowing (T1055.012)

Defense Evasion

CreateProcess svchost.exe SUSPENDED

INJ-PROCESS-HOLLOWING · Process Hollowing (T1055.012)

Defense Evasion

SetThreadContext + ResumeThread

INJ-THREAD-HIJACK · Thread Execution Hijack

§ Context

Assumed environment: foothold as a user or service account on Windows. EDR/AV is signature-only or doesn't yet detect manual map / Hell's-gate-style flow.

§ Steps

01
Foothold shellInitial Access
T1078— Valid Accounts
02
Beacon under svchost.exe identityCommand and Control
T1071— Application Layer Protocol
03
WriteProcessMemory attacker PEDefense Evasion
INJ-PROCESS-HOLLOWING— Process Hollowing (T1055.012)
04
NtUnmapViewOfSection on the loaded imageDefense Evasion
INJ-PROCESS-HOLLOWING— Process Hollowing (T1055.012)
05
CreateProcess svchost.exe SUSPENDEDDefense Evasion
INJ-PROCESS-HOLLOWING— Process Hollowing (T1055.012)
06
SetThreadContext + ResumeThreadDefense Evasion
INJ-THREAD-HIJACK— Thread Execution Hijack

§ References

T1078Valid Accounts
T1071Application Layer Protocol

§ Frequently asked

What is the "Process hollowing → run beacon in svchost shell" attack path?: Spawn svchost.exe suspended, unmap its image, write attacker PE into the same address space, resume — the process keeps a legit-looking PEB and command line but executes beacon code. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Foothold shell (T1078) — a initial access primitive. Assumed environment: foothold as a user or service account on Windows.
What is the final impact of this kill-chain?: The final step lands on SetThreadContext + ResumeThread (INJ-THREAD-HIJACK), which falls under Defense Evasion. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

Process hollowing → run beacon in svchost shell

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Build-system implant → signed supply-chain backdoor (SolarWinds-class)

AMSI patch → in-memory .NET / PowerShell stager

Process doppelgänging → spawn signed image with attacker bytes

certutil + bitsadmin → AV-friendly stager chain

Autodiscover external leak → credential harvest