Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Defense Evasion
  4. >ATTACK-T1055.012
ATTACK-T1055.012Active

Process Hollowing

Statement

Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.

Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as <code>CreateProcess</code>, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as <code>ZwUnmapViewOfSection</code> or <code>NtUnmapViewOfSection</code> before being written to, realigned to the injected code, and resumed via <code>VirtualAllocEx</code>, <code>WriteProcessMemory</code>, <code>SetThreadContext</code>, then <code>ResumeThread</code> respectively.(Citation: Leitch Hollowing)(Citation: Elastic Process Injection July 2017)

This is very similar to Thread Local Storage but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process.

Location

Tactic
Defense Evasion

Technique Details

Identifier
ATTACK-T1055.012
Parent Technique
ATTACK-T1055
ATT&CK Page
View on MITRE

Tactics

Defense EvasionPrivilege Escalation

Platforms

Windows

Detection

Detection Strategy for Process Hollowing on Windows

Mitigations

Behavior Prevention on Endpoint: Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack. This mitigation can be implemented through the following measures:

Suspicious Process Behavior:

  • Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts.
  • Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action.

Unauthorized File Access:

  • Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization.
  • Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it.

Abnormal API Calls:

  • Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities.
  • Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like OpenProcess and WriteProcessMemory and terminates the offending process.

Exploit Prevention:

  • Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access.
  • Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.
SP 800-53
SP800-53-AC-6relatedvia ctid-attack-to-sp800-53
SP800-53-SC-18relatedvia ctid-attack-to-sp800-53
SP800-53-SC-7relatedvia ctid-attack-to-sp800-53
SP800-53-SI-2relatedvia ctid-attack-to-sp800-53
SP800-53-SI-3relatedvia ctid-attack-to-sp800-53
View in graphReport an issue
← Back to Defense Evasion
Defense Evasion183 controls
ATTACK-T1006Direct Volume AccessATTACK-T1014RootkitATTACK-T1027Obfuscated Files or InformationATTACK-T1027.001Binary PaddingATTACK-T1027.002Software PackingATTACK-T1027.003SteganographyATTACK-T1027.004Compile After DeliveryATTACK-T1027.005Indicator Removal from ToolsATTACK-T1027.006HTML SmugglingATTACK-T1027.007Dynamic API ResolutionATTACK-T1027.008Stripped PayloadsATTACK-T1027.009Embedded PayloadsATTACK-T1027.010Command ObfuscationATTACK-T1027.011Fileless StorageATTACK-T1027.012LNK Icon SmugglingATTACK-T1027.013Encrypted/Encoded FileATTACK-T1027.014Polymorphic CodeATTACK-T1027.015CompressionATTACK-T1027.016Junk Code InsertionATTACK-T1027.017SVG SmugglingATTACK-T1036MasqueradingATTACK-T1036.001Invalid Code SignatureATTACK-T1036.002Right-to-Left OverrideATTACK-T1036.003Rename Legitimate UtilitiesATTACK-T1036.004Masquerade Task or ServiceATTACK-T1036.005Match Legitimate Resource Name or LocationATTACK-T1036.006Space after FilenameATTACK-T1036.007Double File ExtensionATTACK-T1036.008Masquerade File TypeATTACK-T1036.009Break Process TreesATTACK-T1036.010Masquerade Account NameATTACK-T1036.011Overwrite Process ArgumentsATTACK-T1036.012Browser FingerprintATTACK-T1055Process InjectionATTACK-T1055.001Dynamic-link Library InjectionATTACK-T1055.002Portable Executable InjectionATTACK-T1055.003Thread Execution HijackingATTACK-T1055.004Asynchronous Procedure CallATTACK-T1055.005Thread Local StorageATTACK-T1055.008Ptrace System CallsATTACK-T1055.009Proc MemoryATTACK-T1055.011Extra Window Memory InjectionATTACK-T1055.012Process HollowingATTACK-T1055.013Process DoppelgängingATTACK-T1055.014VDSO HijackingATTACK-T1055.015ListPlantingATTACK-T1070Indicator RemovalATTACK-T1070.001Clear Windows Event LogsATTACK-T1070.002Clear Linux or Mac System LogsATTACK-T1070.003Clear Command HistoryATTACK-T1070.004File DeletionATTACK-T1070.005Network Share Connection RemovalATTACK-T1070.006TimestompATTACK-T1070.007Clear Network Connection History and ConfigurationsATTACK-T1070.008Clear Mailbox DataATTACK-T1070.009Clear PersistenceATTACK-T1070.010Relocate MalwareATTACK-T1078Valid AccountsATTACK-T1078.001Default AccountsATTACK-T1078.002Domain AccountsATTACK-T1078.003Local AccountsATTACK-T1078.004Cloud AccountsATTACK-T1112Modify RegistryATTACK-T1127Trusted Developer Utilities Proxy ExecutionATTACK-T1127.001MSBuildATTACK-T1127.002ClickOnceATTACK-T1127.003JamPlusATTACK-T1134Access Token ManipulationATTACK-T1134.001Token Impersonation/TheftATTACK-T1134.002Create Process with TokenATTACK-T1134.003Make and Impersonate TokenATTACK-T1134.004Parent PID SpoofingATTACK-T1134.005SID-History InjectionATTACK-T1140Deobfuscate/Decode Files or InformationATTACK-T1197BITS JobsATTACK-T1202Indirect Command ExecutionATTACK-T1205Traffic SignalingATTACK-T1205.001Port KnockingATTACK-T1205.002Socket FiltersATTACK-T1207Rogue Domain ControllerATTACK-T1211Exploitation for Defense EvasionATTACK-T1216System Script Proxy ExecutionATTACK-T1216.001PubPrnATTACK-T1216.002SyncAppvPublishingServerATTACK-T1218System Binary Proxy ExecutionATTACK-T1218.001Compiled HTML FileATTACK-T1218.002Control PanelATTACK-T1218.003CMSTPATTACK-T1218.004InstallUtilATTACK-T1218.005MshtaATTACK-T1218.007MsiexecATTACK-T1218.008OdbcconfATTACK-T1218.009Regsvcs/RegasmATTACK-T1218.010Regsvr32ATTACK-T1218.011Rundll32ATTACK-T1218.012VerclsidATTACK-T1218.013MavinjectATTACK-T1218.014MMCATTACK-T1218.015Electron ApplicationsATTACK-T1220XSL Script ProcessingATTACK-T1221Template InjectionATTACK-T1222File and Directory Permissions ModificationATTACK-T1222.001Windows File and Directory Permissions ModificationATTACK-T1222.002Linux and Mac File and Directory Permissions ModificationATTACK-T1480Execution GuardrailsATTACK-T1480.001Environmental KeyingATTACK-T1480.002Mutual ExclusionATTACK-T1484Domain or Tenant Policy ModificationATTACK-T1484.001Group Policy ModificationATTACK-T1484.002Trust ModificationATTACK-T1497Virtualization/Sandbox EvasionATTACK-T1497.001System ChecksATTACK-T1497.002User Activity Based ChecksATTACK-T1497.003Time Based ChecksATTACK-T1535Unused/Unsupported Cloud RegionsATTACK-T1542Pre-OS BootATTACK-T1542.004ROMMONkitATTACK-T1542.005TFTP BootATTACK-T1548.006TCC ManipulationATTACK-T1550Use Alternate Authentication MaterialATTACK-T1550.001Application Access TokenATTACK-T1550.002Pass the HashATTACK-T1550.003Pass the TicketATTACK-T1550.004Web Session CookieATTACK-T1553Subvert Trust ControlsATTACK-T1553.001Gatekeeper BypassATTACK-T1553.002Code SigningATTACK-T1553.003SIP and Trust Provider HijackingATTACK-T1553.004Install Root CertificateATTACK-T1553.005Mark-of-the-Web BypassATTACK-T1553.006Code Signing Policy ModificationATTACK-T1562Impair DefensesATTACK-T1562.001Disable or Modify ToolsATTACK-T1562.002Disable Windows Event LoggingATTACK-T1562.003Impair Command History LoggingATTACK-T1562.004Disable or Modify System FirewallATTACK-T1562.006Indicator BlockingATTACK-T1562.007Disable or Modify Cloud FirewallATTACK-T1562.008Disable or Modify Cloud LogsATTACK-T1562.009Safe Mode BootATTACK-T1562.010Downgrade AttackATTACK-T1562.011Spoof Security AlertingATTACK-T1562.012Disable or Modify Linux Audit SystemATTACK-T1562.013Disable or Modify Network Device FirewallATTACK-T1564Hide ArtifactsATTACK-T1564.001Hidden Files and DirectoriesATTACK-T1564.002Hidden UsersATTACK-T1564.003Hidden WindowATTACK-T1564.004NTFS File AttributesATTACK-T1564.005Hidden File SystemATTACK-T1564.006Run Virtual InstanceATTACK-T1564.007VBA StompingATTACK-T1564.008Email Hiding RulesATTACK-T1564.009Resource ForkingATTACK-T1564.010Process Argument SpoofingATTACK-T1564.011Ignore Process InterruptsATTACK-T1564.012File/Path ExclusionsATTACK-T1564.013Bind MountsATTACK-T1564.014Extended AttributesATTACK-T1578Modify Cloud Compute InfrastructureATTACK-T1578.001Create SnapshotATTACK-T1578.002Create Cloud InstanceATTACK-T1578.003Delete Cloud InstanceATTACK-T1578.004Revert Cloud InstanceATTACK-T1578.005Modify Cloud Compute ConfigurationsATTACK-T1599Network Boundary BridgingATTACK-T1599.001Network Address Translation TraversalATTACK-T1600Weaken EncryptionATTACK-T1600.001Reduce Key SpaceATTACK-T1600.002Disable Crypto HardwareATTACK-T1601Modify System ImageATTACK-T1601.001Patch System ImageATTACK-T1601.002Downgrade System ImageATTACK-T1610Deploy ContainerATTACK-T1612Build Image on HostATTACK-T1620Reflective Code LoadingATTACK-T1622Debugger EvasionATTACK-T1647Plist File ModificationATTACK-T1656ImpersonationATTACK-T1666Modify Cloud Resource HierarchyATTACK-T1672Email SpoofingATTACK-T1678Delay ExecutionATTACK-T1679Selective Exclusion