INJ-PROCESS-HOLLOWINGDefense Evasion

Process Hollowing (T1055.012)

Spawn a benign process suspended, unmap its image, write attacker PE in place, resume — classic SDV stealth primitive.

§ Where this technique fits

INJ-PROCESS-HOLLOWING is catalogued under the Defense Evasion tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

Process hollowing → run beacon in svchost shell
Spawn svchost.exe suspended, unmap its image, write attacker PE into the same address space, resume — the process keeps a legit-looking PEB and command line but executes beacon code.
step 2 / 6
Process doppelgänging → spawn signed image with attacker bytes
Use NTFS transactional file APIs to overlay an attacker image during process creation. The final mapped process differs from the on-disk file — AV sees only the legit signed image at scan time.
step 4 / 6

§ What commonly comes next

01
Command and Scripting Interpreter
T1059 · Execution
seen 1×
02
Thread Execution Hijack
INJ-THREAD-HIJACK · Defense Evasion
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Process hollowing → run beacon in svchost shell

Process doppelgänging → spawn signed image with attacker bytes

§ What commonly comes next