Skip to content

Hide Navigation Hide TOC

Process Hollowing - T1093 (1c338d0f-a65e-4073-a5c1-c06878849f21)

Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Similar to Process Injection, execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis. (Citation: Leitch Hollowing) (Citation: Elastic Process Injection July 2017)

Cluster A Galaxy A Cluster B Galaxy B Level
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Process Hollowing - T1093 (1c338d0f-a65e-4073-a5c1-c06878849f21) Attack Pattern 1
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern 2